diff mbox series

[FFmpeg-devel] avcodec/exr: More strictly check dc_count

Message ID 20210525202202.30383-1-michael@niedermayer.cc
State Accepted
Commit 26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777
Headers show
Series [FFmpeg-devel] avcodec/exr: More strictly check dc_count | expand

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate success Make fate finished

Commit Message

Michael Niedermayer May 25, 2021, 8:22 p.m. UTC 
Fixes: out of array access
Fixes: exr/deneme

Found-by: Burak Çarıkçı <burakcarikci@crypttech.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/exr.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Michael Niedermayer May 27, 2021, 3:44 p.m. UTC | #1 
On Tue, May 25, 2021 at 10:22:02PM +0200, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: exr/deneme
> 
> Found-by: Burak Çarıkçı <burakcarikci@crypttech.com>
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/exr.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

will apply

[...]
diff mbox series

Patch

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 9377a89169..4648ed7d62 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1059,11 +1059,11 @@  static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size
         bytestream2_skip(&gb, ac_size);
     }
 
-    if (dc_size > 0) {
+    {
         unsigned long dest_len = dc_count * 2LL;
         GetByteContext agb = gb;
 
-        if (dc_count > (6LL * td->xsize * td->ysize + 63) / 64)
+        if (dc_count != dc_w * dc_h * 3)
             return AVERROR_INVALIDDATA;
 
         av_fast_padded_malloc(&td->dc_data, &td->dc_size, FFALIGN(dest_len, 64) * 2);