Message ID | SIXPR01MB0560F1B1EB1140C47DDC749DAD760@SIXPR01MB0560.apcprd01.prod.exchangelabs.com |
---|---|
State | New |
Headers | show |
2018-06-21 5:46 GMT+02:00, Xiao Yang <YangX92@hotmail.com>: > Fixes invalid writes when there are more blocks in a run > than total remaining blocks Please provide a test-case that allows to reproduce the issue your patch fixes. > (see CVE-2014-8548) > --- > libavcodec/rpza.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c > index b71ebd1..7cb6b89 100644 > --- a/libavcodec/rpza.c > +++ b/libavcodec/rpza.c > @@ -68,6 +68,11 @@ typedef struct RpzaContext { > row_ptr += stride * 4; \ > } \ > total_blocks--; \ > + if (total_blocks < !!n_blocks) \ > + { \ > + av_log(s->avctx, AV_LOG_INFO, "warning: block > counter just went negative (this should not happen)\n"); \ > + return; \ This produces several warnings at compile time, please fix them. Carl Eugen
diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index b71ebd1..7cb6b89 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -68,6 +68,11 @@ typedef struct RpzaContext { row_ptr += stride * 4; \ } \ total_blocks--; \ + if (total_blocks < !!n_blocks) \ + { \ + av_log(s->avctx, AV_LOG_INFO, "warning: block counter just went negative (this should not happen)\n"); \ + return; \ + } \ } static int rpza_decode_stream(RpzaContext *s)