diff mbox

[FFmpeg-devel] avcodec/interplayvideo: Check sizes of decode buffers

Message ID 20170702212448.23891-1-hp@tmm.cx
State Superseded
Headers show

Commit Message

Hein-Pieter van Braam July 2, 2017, 9:24 p.m. UTC 
Fixes: 6503 crash with fuzzed file
---
 libavcodec/interplayvideo.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

Hein-Pieter van Braam July 2, 2017, 9:43 p.m. UTC | #1 
On Sun, 2017-07-02 at 23:24 +0200, Hein-Pieter van Braam wrote:
> Fixes: 6503 crash with fuzzed file
> ---

I messed this up, I'll try to be more careful next time. v2 coming.
diff mbox

Patch

diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c
index d6f484a..4b0e36d 100644
--- a/libavcodec/interplayvideo.c
+++ b/libavcodec/interplayvideo.c
@@ -972,6 +972,8 @@  static void ipvideo_decode_format_06_opcodes(IpvideoContext *s, AVFrame *frame)
                         x, y, opcode, bytestream2_tell(&s->stream_ptr));
 
                 s->pixel_ptr = frame->data[0] + x + y * frame->linesize[0];
+                if (s->pixel_ptr >= (s->pixel_ptr + s->upper_motion_limit_offset))
+                    return;
                 ipvideo_format_06_passes[pass](s, frame, opcode);
             }
         }
@@ -1043,6 +1045,12 @@  static void ipvideo_decode_format_10_opcodes(IpvideoContext *s, AVFrame *frame)
         for (y = 0; y < s->avctx->height; y += 8) {
             for (x = 0; x < s->avctx->width; x += 8) {
                 s->pixel_ptr = s->cur_decode_frame->data[0] + x + y * s->cur_decode_frame->linesize[0];
+                if (s->pixel_ptr > s->pixel_ptr + s->upper_motion_limit_offset)
+                    return;
+
+                if (s->cur_decode_frame->width != s->avctx->width ||
+                        s->cur_decode_frame->height != s->avctx->height)
+                    return;
 
                 while (skip <= 0)  {
                     if (skip != -0x8000 && skip) {