[FFmpeg-devel] [PATCH 1/2] avcodec/tdsc: Fix tile checks
Michael Niedermayer
michael at niedermayer.cc
Thu Jul 16 10:27:27 EEST 2020
Fixes: out of array access
Fixes: crash.asf
Found-by: anton listov <greyfarn7 at yandex.ru>
Reviewed-by: anton listov <greyfarn7 at yandex.ru>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
libavcodec/tdsc.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/libavcodec/tdsc.c b/libavcodec/tdsc.c
index eaea41c1f5..3617911071 100644
--- a/libavcodec/tdsc.c
+++ b/libavcodec/tdsc.c
@@ -390,7 +390,7 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles)
for (i = 0; i < number_tiles; i++) {
int tile_size;
int tile_mode;
- int x, y, w, h;
+ int x, y, x2, y2, w, h;
int ret;
if (bytestream2_get_bytes_left(&ctx->gbc) < 4 ||
@@ -408,20 +408,19 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles)
bytestream2_skip(&ctx->gbc, 4); // unknown
x = bytestream2_get_le32(&ctx->gbc);
y = bytestream2_get_le32(&ctx->gbc);
- w = bytestream2_get_le32(&ctx->gbc) - x;
- h = bytestream2_get_le32(&ctx->gbc) - y;
+ x2 = bytestream2_get_le32(&ctx->gbc);
+ y2 = bytestream2_get_le32(&ctx->gbc);
- if (x >= ctx->width || y >= ctx->height) {
+ if (x < 0 || y < 0 || x2 <= x || y2 <= y ||
+ x2 > ctx->width || y2 > ctx->height
+ ) {
av_log(avctx, AV_LOG_ERROR,
- "Invalid tile position (%d.%d outside %dx%d).\n",
- x, y, ctx->width, ctx->height);
- return AVERROR_INVALIDDATA;
- }
- if (x + w > ctx->width || y + h > ctx->height) {
- av_log(avctx, AV_LOG_ERROR,
- "Invalid tile size %dx%d\n", w, h);
+ "Invalid tile position (%d.%d %d.%d outside %dx%d).\n",
+ x, y, x2, y2, ctx->width, ctx->height);
return AVERROR_INVALIDDATA;
}
+ w = x2 - x;
+ h = y2 - y;
ret = av_reallocp(&ctx->tilebuffer, tile_size);
if (!ctx->tilebuffer)
--
2.17.1
More information about the ffmpeg-devel
mailing list