Commit 4d7d9a57 authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/hnm4video: check offset before subtraction in decode_interframe_v4a()

Fixes out of array read
Fixes: signal_sigsegv_1326a09_1752_cov_245452111_GRTH301.HNS
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 8e36fc0c
...@@ -311,8 +311,13 @@ static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src, ...@@ -311,8 +311,13 @@ static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src,
offset = writeoffset; offset = writeoffset;
offset += bytestream2_get_le16(&gb); offset += bytestream2_get_le16(&gb);
if (delta) if (delta) {
if (offset < 0x10000) {
av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
break;
}
offset -= 0x10000; offset -= 0x10000;
}
if (offset + hnm->width + count >= hnm->width * hnm->height) { if (offset + hnm->width + count >= hnm->width * hnm->height) {
av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment