[FFmpeg-devel] [PATCH v2] avcodec/interplayvideo: Check sizes of decode buffers
Hein-Pieter van Braam
hp at tmm.cx
Mon Jul 3 00:43:27 EEST 2017
Fixes: 6503 crash with fuzzed file
Signed-off-by: Hein-Pieter van Braam <hp at tmm.cx>
---
libavcodec/interplayvideo.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c
index d6f484a..86530e6 100644
--- a/libavcodec/interplayvideo.c
+++ b/libavcodec/interplayvideo.c
@@ -972,6 +972,8 @@ static void ipvideo_decode_format_06_opcodes(IpvideoContext *s, AVFrame *frame)
x, y, opcode, bytestream2_tell(&s->stream_ptr));
s->pixel_ptr = frame->data[0] + x + y * frame->linesize[0];
+ if (s->pixel_ptr > (s->pixel_ptr + s->upper_motion_limit_offset))
+ return;
ipvideo_format_06_passes[pass](s, frame, opcode);
}
}
@@ -1043,6 +1045,12 @@ static void ipvideo_decode_format_10_opcodes(IpvideoContext *s, AVFrame *frame)
for (y = 0; y < s->avctx->height; y += 8) {
for (x = 0; x < s->avctx->width; x += 8) {
s->pixel_ptr = s->cur_decode_frame->data[0] + x + y * s->cur_decode_frame->linesize[0];
+ if (s->pixel_ptr > s->pixel_ptr + s->upper_motion_limit_offset)
+ return;
+
+ if (s->cur_decode_frame->width != s->avctx->width ||
+ s->cur_decode_frame->height != s->avctx->height)
+ return;
while (skip <= 0) {
if (skip != -0x8000 && skip) {
--
2.9.4
More information about the ffmpeg-devel
mailing list