Commit f5d46d33 authored by Anton Khirnov's avatar Anton Khirnov

vmnc: check that subrectangles fit into their containing rectangles

Fixes possible invalid writes with corrupted files.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
parent 83b92a85
...@@ -287,12 +287,24 @@ static int decode_hextile(VmncContext *c, uint8_t* dst, GetByteContext *gb, ...@@ -287,12 +287,24 @@ static int decode_hextile(VmncContext *c, uint8_t* dst, GetByteContext *gb,
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
for (k = 0; k < rects; k++) { for (k = 0; k < rects; k++) {
int rect_x, rect_y, rect_w, rect_h;
if (color) if (color)
fg = vmnc_get_pixel(gb, bpp, c->bigendian); fg = vmnc_get_pixel(gb, bpp, c->bigendian);
xy = bytestream2_get_byte(gb); xy = bytestream2_get_byte(gb);
wh = bytestream2_get_byte(gb); wh = bytestream2_get_byte(gb);
paint_rect(dst2, xy >> 4, xy & 0xF,
(wh>>4)+1, (wh & 0xF)+1, fg, bpp, stride); rect_x = xy >> 4;
rect_y = xy & 0xF;
rect_w = (wh >> 4) + 1;
rect_h = (wh & 0xF) + 1;
if (rect_x + rect_w > bw || rect_y + rect_h > bh) {
av_log(c->avctx, AV_LOG_ERROR, "Invalid subrect\n");
return AVERROR_INVALIDDATA;
}
paint_rect(dst2, rect_x, rect_y,
rect_w, rect_h, fg, bpp, stride);
} }
} }
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment