From b8b36717217c6f45db71c77ad4e7c65521e7d9ff Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 19 Aug 2016 21:34:38 +0200
Subject: avcodec/cfhd: Increase minimum band dimension to 3

The implementation does not currently support len=2

Fixes out of array accesses
Fixes: 29d1b3db5ba2205e82b0b3a533e057a3/asan_heap-oob_12b650c_9254_3b8c4e4d931eb2c32841c18ebb297f1d.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/cfhd.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'libavcodec')

diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c
index e8f859c8aa..ef97b547ab 100644
--- a/libavcodec/cfhd.c
+++ b/libavcodec/cfhd.c
@@ -320,7 +320,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
             s->plane[s->channel_num].band[0][0].width  = data;
             s->plane[s->channel_num].band[0][0].stride = data;
             av_log(avctx, AV_LOG_DEBUG, "Lowpass width %"PRIu16"\n", data);
-            if (data < 2 || data > s->plane[s->channel_num].band[0][0].a_width) {
+            if (data < 3 || data > s->plane[s->channel_num].band[0][0].a_width) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid lowpass width\n");
                 ret = AVERROR(EINVAL);
                 break;
@@ -328,7 +328,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
         } else if (tag == 28) {
             s->plane[s->channel_num].band[0][0].height = data;
             av_log(avctx, AV_LOG_DEBUG, "Lowpass height %"PRIu16"\n", data);
-            if (data < 2 || data > s->plane[s->channel_num].band[0][0].height) {
+            if (data < 3 || data > s->plane[s->channel_num].band[0][0].height) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid lowpass height\n");
                 ret = AVERROR(EINVAL);
                 break;
@@ -366,7 +366,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
             s->plane[s->channel_num].band[s->level][s->subband_num].width  = data;
             s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8);
             av_log(avctx, AV_LOG_DEBUG, "Highpass width %i channel %i level %i subband %i\n", data, s->channel_num, s->level, s->subband_num);
-            if (data < 2) {
+            if (data < 3) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid highpass width\n");
                 ret = AVERROR(EINVAL);
                 break;
@@ -374,7 +374,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
         } else if (tag == 42) {
             s->plane[s->channel_num].band[s->level][s->subband_num].height = data;
             av_log(avctx, AV_LOG_DEBUG, "Highpass height %i\n", data);
-            if (data < 2) {
+            if (data < 3) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid highpass height\n");
                 ret = AVERROR(EINVAL);
                 break;
@@ -383,7 +383,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
             s->plane[s->channel_num].band[s->level][s->subband_num].width  = data;
             s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8);
             av_log(avctx, AV_LOG_DEBUG, "Highpass width2 %i\n", data);
-            if (data < 2) {
+            if (data < 3) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid highpass width2\n");
                 ret = AVERROR(EINVAL);
                 break;
@@ -391,7 +391,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
         } else if (tag == 50) {
             s->plane[s->channel_num].band[s->level][s->subband_num].height = data;
             av_log(avctx, AV_LOG_DEBUG, "Highpass height2 %i\n", data);
-            if (data < 2) {
+            if (data < 3) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid highpass height2\n");
                 ret = AVERROR(EINVAL);
                 break;
-- 
cgit v1.2.3