From patchwork Thu Nov 14 20:01:42 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Boyle <jboyle@quotient-inc.com>
X-Patchwork-Id: 16273
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id C0ECA449199
	for <patchwork@ffaux-bg.ffmpeg.org>;
	Thu, 14 Nov 2019 22:07:41 +0200 (EET)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 983D668A626;
	Thu, 14 Nov 2019 22:07:41 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-ot1-f67.google.com (mail-ot1-f67.google.com
	[209.85.210.67])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4FFA068A323
	for <ffmpeg-devel@ffmpeg.org>; Thu, 14 Nov 2019 22:07:35 +0200 (EET)
Received: by mail-ot1-f67.google.com with SMTP id 94so5973941oty.8
	for <ffmpeg-devel@ffmpeg.org>; Thu, 14 Nov 2019 12:07:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=quotient-inc-com.20150623.gappssmtp.com; s=20150623;
	h=to:from:subject:organization:message-id:date:user-agent
	:mime-version:content-language:content-transfer-encoding;
	bh=0B3euCt4pne+vIrexjDoSlr9cWG7Jgb7O2aKG8pzMkg=;
	b=OTtEPWR7tX6pt7dFPRiv/567ev6wIbXY1BbtFDgtjGYuwh5Cg6g/nHmyb2GHclyaTg
	y9fEVQqCaIOy4wdaLm+7w0qxNPWFjkCGhqRk88Sxn9AX3iHOUp6bXeEVD5Bwnbyt2rGT
	//olEEe8ismT6/rUIho3nh/eNttQVnOhmctVHm2Y2vOud0MpErT+J7yaao563u0GFL6l
	uKClamXCE0l31M+d+KLzNKhu9HvonREPFjtaVxBEQ88QUVmbtOrVRGqSfhQwS2sgkOr8
	QipWS3a4Kz5eGYdpT/9Vg/P8F/Q1vGCPySSJCPAgPQeZ+hVeuUYriGVoO13Lzi4aQWG1
	3ecw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:to:from:subject:organization:message-id:date
	:user-agent:mime-version:content-language:content-transfer-encoding;
	bh=0B3euCt4pne+vIrexjDoSlr9cWG7Jgb7O2aKG8pzMkg=;
	b=ZChY1pg/wbbypoeoenJMXjUb/Jap0FMkEqzlOyc2iyHQi/P1P+4b1/atMyaTWvpJzF
	N68K70bJGbUSKstOas3YUN7dyo6OAZYW+kElChMRYV54Ojo9Beraa+0XJqnM1guK1cQm
	zyF2KGzS3iBVfn1lBnucXMj/4wboOi/XNONekkbghdMT2Hi/f+QBCfTL9+LWnjgKoDhE
	eP5G2hD2fKXvMm6RXCI84+UL4fBLffBiSfUTDREYhE5+aw5om6HIZBy95MA16OpZVOx3
	7h/6PsreUO19Y61o8zZT+IQM0q/z8fb8X93rlS6wMIloMlEdSjYZySl06Wk+9a0hEDS/
	wBTg==
X-Gm-Message-State: APjAAAWwWiRvqQaR+w3dHkbHZq+SL5xlCV/nsIYzJCYI9tk3hWdFxPQk
	NJayNOTwwuv3B/nAow55TD/zKQG9ohU=
X-Google-Smtp-Source: 
 APXvYqx2/KOyXhCZ6kJ1nquhOA7lFXimEtGcg/KcsYkkp+eNby17Si5dMiQGIC/rG+hpgy1XmAO6OA==
X-Received: by 2002:a05:6830:1d75:: with SMTP id
	l21mr5261994oti.24.1573761703995;
	Thu, 14 Nov 2019 12:01:43 -0800 (PST)
Received: from koscielec.myquotient.net
	(static-96-234-207-34.bltmmd.fios.verizon.net. [96.234.207.34])
	by smtp.googlemail.com with ESMTPSA id
	38sm2263809otr.7.2019.11.14.12.01.43 for <ffmpeg-devel@ffmpeg.org>
	(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
	Thu, 14 Nov 2019 12:01:43 -0800 (PST)
To: ffmpeg-devel@ffmpeg.org
From: James Boyle <jboyle@quotient-inc.com>
Organization: Quotient
Message-ID: <1c5d7cb5-5bd2-489d-d528-38cc67a64c65@quotient-inc.com>
Date: Thu, 14 Nov 2019 15:01:42 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
	Thunderbird/68.1.1
MIME-Version: 1.0
Content-Language: en-US
Subject: [FFmpeg-devel] [PATCH 2/2] backport out of array access fix /
	CVE-2019-17542 / 15919 clusterfuzz
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Hello,

This patch is nearly identical to commit
02f909dc24b1f05cfbba75077c7707b905e63cd2, but is intended to backport
the fix for CVE-2019-17542 to ffmpeg version 3.4.6, which is in use on
RHEL 7 systems that get ffmpeg from rpmfusion.

https://github.com/FFmpeg/FFmpeg/commit/02f909dc24b1f05cfbba75077c7707b905e63cd2
---
 libavcodec/vqavideo.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

     }

diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index 0e70be1..b9743ab 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -147,7 +147,7 @@ static av_cold int vqa_decode_init(AVCodecContext
*avctx)
     }
     s->width = AV_RL16(&s->avctx->extradata[6]);
     s->height = AV_RL16(&s->avctx->extradata[8]);
-    if ((ret = av_image_check_size(s->width, s->height, 0, avctx)) < 0) {
+    if ((ret = ff_set_dimensions(avctx, s->width, s->height)) < 0) {
         s->width= s->height= 0;
         return ret;