dfa: improve boundary checks in decode_dds1()

Fixes CVE-2012-2798 CC:libav-stable@libav.org
author: Anton Khirnov <anton@khirnov.net> 2012-09-29 13:25:28 +0200
committer: Anton Khirnov <anton@khirnov.net> 2012-09-29 19:17:07 +0200
commit: d05f72c75445969cd7bdb1d860635c9880c67fb6 (patch)
tree: d940ed2c418ca400592dbe99967ed567531953f3 /libavcodec/dfa.c
parent: 6a99310fce49f51773ab7d8ffa4f4748bbf58db9 (diff)
1 files changed, 6 insertions, 4 deletions
diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c
index c6f09c89a7..d464acb187 100644
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -153,8 +153,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
             bitbuf = bytestream2_get_le16u(gb);
             mask = 1;
         }
-        if (frame_end - frame < 2)
-            return AVERROR_INVALIDDATA;
+
         if (bitbuf & mask) {
             v = bytestream2_get_le16(gb);
             offset = (v & 0x1FFF) << 2;
@@ -168,9 +167,12 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
                 frame += 2;
             }
         } else if (bitbuf & (mask << 1)) {
-            frame += bytestream2_get_le16(gb) * 2;
+            v = bytestream2_get_le16(gb)*2;
+            if (frame - frame_end < v)
+                return AVERROR_INVALIDDATA;
+            frame += v;
         } else {
-            if (frame_end - frame < width + 2)
+            if (frame_end - frame < width + 3)
                 return AVERROR_INVALIDDATA;
             frame[0] = frame[1] =
             frame[width] = frame[width + 1] =  bytestream2_get_byte(gb);
author	Anton Khirnov <anton@khirnov.net>	2012-09-29 13:25:28 +0200
committer	Anton Khirnov <anton@khirnov.net>	2012-09-29 19:17:07 +0200
commit	d05f72c75445969cd7bdb1d860635c9880c67fb6 (patch)
tree	d940ed2c418ca400592dbe99967ed567531953f3 /libavcodec/dfa.c
parent	6a99310fce49f51773ab7d8ffa4f4748bbf58db9 (diff)