[FFmpeg-cvslog] utvideodec: Handle slice_height being zero
Michael Niedermayer
git at videolan.org
Mon Mar 9 02:16:18 CET 2015
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Wed Mar 4 17:36:14 2015 +0000| [0ce3a0f9d9523a9bcad4c6d451ca5bbd7a4f420d] | committer: Luca Barbato
utvideodec: Handle slice_height being zero
Fixes out of array accesses.
CC: libav-stable at libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Bug-Id: CVE-2014-9604
Signed-off-by: Vittorio Giovara <vittorio.giovara at gmail.com>
Signed-off-by: Luca Barbato <lu_zero at gentoo.org>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0ce3a0f9d9523a9bcad4c6d451ca5bbd7a4f420d
---
libavcodec/utvideodec.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 7d75c59..bb8c7aa 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -213,6 +213,8 @@ static void restore_median(uint8_t *src, int step, int stride,
slice_start = ((slice * height) / slices) & cmask;
slice_height = ((((slice + 1) * height) / slices) & cmask) -
slice_start;
+ if (!slice_height)
+ continue;
bsrc = src + slice_start * stride;
@@ -269,6 +271,8 @@ static void restore_median_il(uint8_t *src, int step, int stride,
slice_height = ((((slice + 1) * height) / slices) & cmask) -
slice_start;
slice_height >>= 1;
+ if (!slice_height)
+ continue;
bsrc = src + slice_start * stride;
More information about the ffmpeg-cvslog
mailing list