Message ID | 20210525202202.30383-1-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777 |
Headers | show |
Series | [FFmpeg-devel] avcodec/exr: More strictly check dc_count | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | success | Make fate finished |
andriy/PPC64_make | success | Make finished |
andriy/PPC64_make_fate | success | Make fate finished |
On Tue, May 25, 2021 at 10:22:02PM +0200, Michael Niedermayer wrote: > Fixes: out of array access > Fixes: exr/deneme > > Found-by: Burak Çarıkçı <burakcarikci@crypttech.com> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/exr.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) will apply [...]
diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 9377a89169..4648ed7d62 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1059,11 +1059,11 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size bytestream2_skip(&gb, ac_size); } - if (dc_size > 0) { + { unsigned long dest_len = dc_count * 2LL; GetByteContext agb = gb; - if (dc_count > (6LL * td->xsize * td->ysize + 63) / 64) + if (dc_count != dc_w * dc_h * 3) return AVERROR_INVALIDDATA; av_fast_padded_malloc(&td->dc_data, &td->dc_size, FFALIGN(dest_len, 64) * 2);
Fixes: out of array access Fixes: exr/deneme Found-by: Burak Çarıkçı <burakcarikci@crypttech.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/exr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)