dfa: improve boundary checks in decode_dds1()

Fixes CVE-2012-2798 CC:libav-stable@libav.org

dfa: improve boundary checks in decode_dds1()
Fixes CVE-2012-2798 CC:libav-stable@libav.org
d05f72c7 · Anton Khirnov · 6a99310f · d05f72c7
Commit d05f72c7 authored Sep 29, 2012 by Anton Khirnov
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 4 deletions

dfa.c libavcodec/dfa.c +6 -4

No files found.
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -153,8 +153,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
            bitbuf = bytestream2_get_le16u(gb);
            mask = 1;
        }
-        if (frame_end - frame < 2)
-            return AVERROR_INVALIDDATA;
+
        if (bitbuf & mask) {
            v = bytestream2_get_le16(gb);
            offset = (v & 0x1FFF) << 2;
@@ -168,9 +167,12 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
                frame += 2;
            }
        } else if (bitbuf & (mask << 1)) {
-            frame += bytestream2_get_le16(gb) * 2;
+            v = bytestream2_get_le16(gb)*2;
+            if (frame - frame_end < v)
+                return AVERROR_INVALIDDATA;
+            frame += v;
        } else {
-            if (frame_end - frame < width + 2)
+            if (frame_end - frame < width + 3)
                return AVERROR_INVALIDDATA;
            frame[0] = frame[1] =
            frame[width] = frame[width + 1] =  bytestream2_get_byte(gb);