dfa: Disallow odd width/height and add proper bounds check for DDS1 chunks

DDS1 chunks are decoded in 2x2 blocks, odd chunk width or height is not allowed in that case. Also ensure that the decode buffer is big enough for all blocks being processed. Bug-Id: CVE-2017-9992 CC: libav-stable@libav.org
author: Diego Biurrun <diego@biurrun.de> 2017-08-11 19:15:20 +0200
committer: Diego Biurrun <diego@biurrun.de> 2017-08-13 19:58:40 +0200
commit: d34a133b78afe2793cd8537f3c7f42437f441e94 (patch)
tree: be1615d884c39b0a1cd4e7a11ef1e43f620e0249 /libavcodec
parent: a14a12ca137bf1526452b97bedfc9f7b301d4e04 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c
index 2654118fad..1682eb08cd 100644
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -144,6 +144,8 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
     int mask = 0x10000, bitbuf = 0;
     int i, v, offset, count, segments;
 
+    if ((width | height) & 1)
+        return AVERROR_INVALIDDATA;
     segments = bytestream2_get_le16(gb);
     while (segments--) {
         if (bytestream2_get_bytes_left(gb) < 2)
@@ -171,7 +173,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
                 return AVERROR_INVALIDDATA;
             frame += v;
         } else {
-            if (frame_end - frame < width + 3)
+            if (width < 4 || frame_end - frame < width + 4)
                 return AVERROR_INVALIDDATA;
             frame[0] = frame[1] =
             frame[width] = frame[width + 1] =  bytestream2_get_byte(gb);
author	Diego Biurrun <diego@biurrun.de>	2017-08-11 19:15:20 +0200
committer	Diego Biurrun <diego@biurrun.de>	2017-08-13 19:58:40 +0200
commit	d34a133b78afe2793cd8537f3c7f42437f441e94 (patch)
tree	be1615d884c39b0a1cd4e7a11ef1e43f620e0249 /libavcodec
parent	a14a12ca137bf1526452b97bedfc9f7b301d4e04 (diff)