flashsv: Check diff_start diff_height values

Fix out of array accesses. Found-by: ami_stuff Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Adresses: CVE-2013-7015 (cherry picked from commit 57070b1468) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 10d48fe6d3) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2013-08-20 23:18:48 +02:00 · 2013-08-20 23:18:48 +02:00 · cb5d0ea0be
commit cb5d0ea0be
parent ef6c90e102
1 changed files with 6 additions and 0 deletions
--- a/libavcodec/flashsv.c
+++ b/libavcodec/flashsv.c
@ -377,6 +377,12 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
                    }
                    s->diff_start  = get_bits(&gb, 8);
                    s->diff_height = get_bits(&gb, 8);
+                    if (s->diff_start + s->diff_height > cur_blk_height) {
+                        av_log(avctx, AV_LOG_ERROR,
+                               "Block parameters invalid: %d + %d > %d\n",
+                               s->diff_start, s->diff_height, cur_blk_height);
+                        return AVERROR_INVALIDDATA;
+                    }
                    av_log(avctx, AV_LOG_DEBUG,
                           "%dx%d diff start %d height %d\n",
                           i, j, s->diff_start, s->diff_height);