From 5a5274a67f5c0e51d052922c2a47656a38798720 Mon Sep 17 00:00:00 2001
From: hj kim <backto.kim@samsung.com>
Date: Fri, 25 May 2018 15:07:20 +0900
Subject: [PATCH] [CVE-2017-9992] dfa: Disallow odd width/height and add proper
 bounds check for DDS1 chunks

Change-Id: Ide200fccfcdd74eebd1e6d35843cdfdd1a3d1379
---
 libavcodec/dfa.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 mode change 100644 => 100755 libavcodec/dfa.c

diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c
old mode 100644
new mode 100755
index 8021193..6362555
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -144,6 +144,8 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
     int mask = 0x10000, bitbuf = 0;
     int i, v, offset, count, segments;
 
+    if ((width | height) & 1)
+        return AVERROR_INVALIDDATA;
     segments = bytestream2_get_le16(gb);
     while (segments--) {
         if (bytestream2_get_bytes_left(gb) < 2)
@@ -171,7 +173,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
                 return AVERROR_INVALIDDATA;
             frame += v;
         } else {
-            if (frame_end - frame < width + 3)
+            if (width < 4 || frame_end - frame < width + 4)
                 return AVERROR_INVALIDDATA;
             frame[0] = frame[1] =
             frame[width] = frame[width + 1] =  bytestream2_get_byte(gb);
-- 
2.7.4