Commit 0ce3a0f9 authored by Michael Niedermayer's avatar Michael Niedermayer Committed by Luca Barbato

utvideodec: Handle slice_height being zero

Fixes out of array accesses.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Bug-Id: CVE-2014-9604
Signed-off-by: 's avatarVittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: 's avatarLuca Barbato <lu_zero@gentoo.org>
parent 7b9cb7b3
...@@ -213,6 +213,8 @@ static void restore_median(uint8_t *src, int step, int stride, ...@@ -213,6 +213,8 @@ static void restore_median(uint8_t *src, int step, int stride,
slice_start = ((slice * height) / slices) & cmask; slice_start = ((slice * height) / slices) & cmask;
slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_height = ((((slice + 1) * height) / slices) & cmask) -
slice_start; slice_start;
if (!slice_height)
continue;
bsrc = src + slice_start * stride; bsrc = src + slice_start * stride;
...@@ -269,6 +271,8 @@ static void restore_median_il(uint8_t *src, int step, int stride, ...@@ -269,6 +271,8 @@ static void restore_median_il(uint8_t *src, int step, int stride,
slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_height = ((((slice + 1) * height) / slices) & cmask) -
slice_start; slice_start;
slice_height >>= 1; slice_height >>= 1;
if (!slice_height)
continue;
bsrc = src + slice_start * stride; bsrc = src + slice_start * stride;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment