[FFmpeg-cvslog] dfa: Disallow odd width/height and add proper bounds check for DDS1 chunks
    Diego Biurrun 
    git at videolan.org
       
    Sat Nov 11 05:56:15 EET 2017
    
    
  
ffmpeg | branch: master | Diego Biurrun <diego at biurrun.de> | Fri Aug 11 19:15:20 2017 +0200| [d34a133b78afe2793cd8537f3c7f42437f441e94] | committer: Diego Biurrun
dfa: Disallow odd width/height and add proper bounds check for DDS1 chunks
DDS1 chunks are decoded in 2x2 blocks, odd chunk width or height is not
allowed in that case. Also ensure that the decode buffer is big enough
for all blocks being processed.
Bug-Id: CVE-2017-9992
CC: libav-stable at libav.org
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d34a133b78afe2793cd8537f3c7f42437f441e94
---
 libavcodec/dfa.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c
index 2654118fad..1682eb08cd 100644
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -144,6 +144,8 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
     int mask = 0x10000, bitbuf = 0;
     int i, v, offset, count, segments;
 
+    if ((width | height) & 1)
+        return AVERROR_INVALIDDATA;
     segments = bytestream2_get_le16(gb);
     while (segments--) {
         if (bytestream2_get_bytes_left(gb) < 2)
@@ -171,7 +173,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
                 return AVERROR_INVALIDDATA;
             frame += v;
         } else {
-            if (frame_end - frame < width + 3)
+            if (width < 4 || frame_end - frame < width + 4)
                 return AVERROR_INVALIDDATA;
             frame[0] = frame[1] =
             frame[width] = frame[width + 1] =  bytestream2_get_byte(gb);
    
    
More information about the ffmpeg-cvslog
mailing list