[FFmpeg-devel] [PATCH] rpza: fix the bounds check

Xiao Yang Wed, 20 Jun 2018 20:47:22 -0700

Fixes invalid writes when there are more blocks in a run than total remaining 
blocks


(see CVE-2014-8548)
---
 libavcodec/rpza.c |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c
index b71ebd1..7cb6b89 100644
--- a/libavcodec/rpza.c
+++ b/libavcodec/rpza.c
@@ -68,6 +68,11 @@ typedef struct RpzaContext {
             row_ptr  += stride * 4; \
         }                           \
         total_blocks--;             \
+        if (total_blocks < !!n_blocks) \
+        { \
+            av_log(s->avctx, AV_LOG_INFO, "warning: block counter just went 
negative (this should not happen)\n"); \
+            return; \
+        } \
     }
 
 static int rpza_decode_stream(RpzaContext *s)
-- 
1.7.9.5

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

[FFmpeg-devel] [PATCH] rpza: fix the bounds check

Reply via email to