[FFmpeg-cvslog] utvideodec: Handle slice_height being zero
    Michael Niedermayer 
    git at videolan.org
       
    Mon Mar  9 13:38:39 CET 2015
    
    
  
ffmpeg | branch: release/2.2 | Michael Niedermayer <michaelni at gmx.at> | Wed Mar  4 17:36:14 2015 +0000| [e032e647dd79e7748145792dfee0358eccb1982e] | committer: Reinhard Tartler
utvideodec: Handle slice_height being zero
Fixes out of array accesses.
CC: libav-stable at libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Bug-Id: CVE-2014-9604
Signed-off-by: Vittorio Giovara <vittorio.giovara at gmail.com>
Signed-off-by: Luca Barbato <lu_zero at gentoo.org>
(cherry picked from commit 0ce3a0f9d9523a9bcad4c6d451ca5bbd7a4f420d)
(cherry picked from commit 3a417a86b330b7c1acf9db4f729be7d619caaded)
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e032e647dd79e7748145792dfee0358eccb1982e
---
 libavcodec/utvideodec.c |    4 ++++
 1 file changed, 4 insertions(+)
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 3492595..c4a75c9 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -211,6 +211,8 @@ static void restore_median(uint8_t *src, int step, int stride,
         slice_start  = ((slice * height) / slices) & cmask;
         slice_height = ((((slice + 1) * height) / slices) & cmask) -
                        slice_start;
+        if (!slice_height)
+            continue;
 
         bsrc = src + slice_start * stride;
 
@@ -267,6 +269,8 @@ static void restore_median_il(uint8_t *src, int step, int stride,
         slice_height   = ((((slice + 1) * height) / slices) & cmask) -
                          slice_start;
         slice_height >>= 1;
+        if (!slice_height)
+            continue;
 
         bsrc = src + slice_start * stride;
 
    
    
More information about the ffmpeg-cvslog
mailing list