[FFmpeg-devel] [PATCH] rpza: fix the bounds check
Xiao Yang
YangX92 at hotmail.com
Thu Jun 21 06:46:52 EEST 2018
Fixes invalid writes when there are more blocks in a run than total remaining blocks
(see CVE-2014-8548)
---
libavcodec/rpza.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c
index b71ebd1..7cb6b89 100644
--- a/libavcodec/rpza.c
+++ b/libavcodec/rpza.c
@@ -68,6 +68,11 @@ typedef struct RpzaContext {
row_ptr += stride * 4; \
} \
total_blocks--; \
+ if (total_blocks < !!n_blocks) \
+ { \
+ av_log(s->avctx, AV_LOG_INFO, "warning: block counter just went negative (this should not happen)\n"); \
+ return; \
+ } \
}
static int rpza_decode_stream(RpzaContext *s)
--
1.7.9.5
More information about the ffmpeg-devel
mailing list