[CVE-2017-9992] dfa: Disallow odd width/height and add proper bounds check for DDS1...

author hj kim <backto.kim@samsung.com>

Fri, 25 May 2018 06:07:20 +0000 (15:07 +0900)

committer hj kim <backto.kim@samsung.com>

Fri, 25 May 2018 06:07:36 +0000 (15:07 +0900)
author hj kim <backto.kim@samsung.com>
Fri, 25 May 2018 06:07:20 +0000 (15:07 +0900)
committer hj kim <backto.kim@samsung.com>
Fri, 25 May 2018 06:07:36 +0000 (15:07 +0900)
diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c

old mode 100644 (file)

new mode 100755 (executable)

index 8021193..6362555
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -144,6 +144,8 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
      int mask = 0x10000, bitbuf = 0;
      int i, v, offset, count, segments;
  
+    if ((width | height) & 1)
+        return AVERROR_INVALIDDATA;
      segments = bytestream2_get_le16(gb);
      while (segments--) {
          if (bytestream2_get_bytes_left(gb) < 2)
@@ -171,7 +173,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
                  return AVERROR_INVALIDDATA;
              frame += v;
          } else {
-            if (frame_end - frame < width + 3)
+            if (width < 4 || frame_end - frame < width + 4)
                  return AVERROR_INVALIDDATA;
              frame[0] = frame[1] =
              frame[width] = frame[width + 1] =  bytestream2_get_byte(gb);
author	hj kim <backto.kim@samsung.com>
	Fri, 25 May 2018 06:07:20 +0000 (15:07 +0900)
committer	hj kim <backto.kim@samsung.com>
	Fri, 25 May 2018 06:07:36 +0000 (15:07 +0900)