gifdec: refactor interleave end handling

Fixes invalid writes with very small image heights. CC: libav-stable@libav.org Bug-ID: CVE-2014-8547 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <anton@khirnov.net>

gifdec: refactor interleave end handling
Fixes invalid writes with very small image heights. CC: libav-stable@libav.org Bug-ID: CVE-2014-8547 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <anton@khirnov.net>
0b39ac6f · Michael Niedermayer · Anton Khirnov · 17ba719d · 0b39ac6f
Commit 0b39ac6f authored Oct 03, 2014 by Michael Niedermayer Committed by Anton Khirnov Dec 19, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 10 deletions

gifdec.c libavcodec/gifdec.c +5 -10

No files found.
--- a/libavcodec/gifdec.c
+++ b/libavcodec/gifdec.c
@@ -125,26 +125,21 @@ static int gif_read_image(GifState *s, AVFrame *frame)
            case 1:
                y1 += 8;
                ptr += linesize * 8;
-                if (y1 >= height) {
-                    y1 = pass ? 2 : 4;
-                    ptr = ptr1 + linesize * y1;
-                    pass++;
-                }
                break;
            case 2:
                y1 += 4;
                ptr += linesize * 4;
-                if (y1 >= height) {
-                    y1 = 1;
-                    ptr = ptr1 + linesize;
-                    pass++;
-                }
                break;
            case 3:
                y1 += 2;
                ptr += linesize * 2;
                break;
            }
+            while (y1 >= height) {
+                y1  = 4 >> pass;
+                ptr = ptr1 + linesize * y1;
+                pass++;
+            }
        } else {
            ptr += linesize;
        }