| Message ID | a5b51f52-0970-8745-c706-02d80fa0cb67@googlemail.com |
|---|---|
| State | Accepted |
| Commit | 1e33035ee7a8d9fb7a4b8b6cc54842e72b36ed70 |
| Headers | show |
On Wed, Nov 09, 2016 at 11:56:36PM +0100, Andreas Cadhalpun wrote: > The implicit checks via v_data_size and a_data_size don't work in the case > '(hdr_size > 7) && !ctx->alpha_info'. > > This fixes segmentation faults due to invalid reads. > > This problem was introduced in commit > 547c2f002a87f4412a83c23b0d60364be5e7ce58. > > Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> > --- > libavcodec/proresdec_lgpl.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) LGTM thx [...]
On 10.11.2016 14:38, Michael Niedermayer wrote: > On Wed, Nov 09, 2016 at 11:56:36PM +0100, Andreas Cadhalpun wrote: >> The implicit checks via v_data_size and a_data_size don't work in the case >> '(hdr_size > 7) && !ctx->alpha_info'. >> >> This fixes segmentation faults due to invalid reads. >> >> This problem was introduced in commit >> 547c2f002a87f4412a83c23b0d60364be5e7ce58. >> >> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> >> --- >> libavcodec/proresdec_lgpl.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) > > LGTM Pushed. Best regards, Andreas
diff --git a/libavcodec/proresdec_lgpl.c b/libavcodec/proresdec_lgpl.c index 467a423..bc5bdb5 100644 --- a/libavcodec/proresdec_lgpl.c +++ b/libavcodec/proresdec_lgpl.c @@ -625,7 +625,7 @@ static int decode_slice(AVCodecContext *avctx, void *tdata) /* if V or alpha component size is negative that means that previous component sizes are too large */ - if (v_data_size < 0 || a_data_size < 0 || hdr_size < 6) { + if (v_data_size < 0 || a_data_size < 0 || hdr_size < 6 || coff[3] > slice_data_size) { av_log(avctx, AV_LOG_ERROR, "invalid data size\n"); return AVERROR_INVALIDDATA; }
The implicit checks via v_data_size and a_data_size don't work in the case '(hdr_size > 7) && !ctx->alpha_info'. This fixes segmentation faults due to invalid reads. This problem was introduced in commit 547c2f002a87f4412a83c23b0d60364be5e7ce58. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> --- libavcodec/proresdec_lgpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)