[FFmpeg-cvslog] avcodec/dxv: Check idx in CHECKPOINT()

Michael Niedermayer git at videolan.org
Tue Jan 5 02:56:54 CET 2016


ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Tue Jan  5 02:28:10 2016 +0100| [eb8a67de75ef6fd043f5749f6448c1874f149783] | committer: Michael Niedermayer

avcodec/dxv: Check idx in CHECKPOINT()

Fixes out of array read

Fixes Ticket5098
Fixes Ticket5099

Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eb8a67de75ef6fd043f5749f6448c1874f149783
---

 libavcodec/dxv.c |    8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 4fdfd65..f1ea298 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -105,9 +105,17 @@ static int decompress_texture_thread(AVCodecContext *avctx, void *arg,
             break;                                                            \
         case 2:                                                               \
             idx = (bytestream2_get_byte(gbc) + 2) * x;                        \
+            if (idx > pos) {                                                  \
+                av_log(avctx, AV_LOG_ERROR, "idx %d > %d\n", idx, pos);       \
+                return AVERROR_INVALIDDATA;                                   \
+            }                                                                 \
             break;                                                            \
         case 3:                                                               \
             idx = (bytestream2_get_le16(gbc) + 0x102) * x;                    \
+            if (idx > pos) {                                                  \
+                av_log(avctx, AV_LOG_ERROR, "idx %d > %d\n", idx, pos);       \
+                return AVERROR_INVALIDDATA;                                   \
+            }                                                                 \
             break;                                                            \
         }                                                                     \
     } while(0)



More information about the ffmpeg-cvslog mailing list