[FFmpeg-cvslog] avcodec/hnm4video: check offset before subtraction in decode_interframe_v4a()

Michael Niedermayer git at videolan.org
Mon Feb 3 03:38:34 CET 2014


ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Mon Feb  3 03:10:46 2014 +0100| [4d7d9a57825ee7a6394d361b5c5b6f16422b361c] | committer: Michael Niedermayer

avcodec/hnm4video: check offset before subtraction in decode_interframe_v4a()

Fixes out of array read
Fixes: signal_sigsegv_1326a09_1752_cov_245452111_GRTH301.HNS
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4d7d9a57825ee7a6394d361b5c5b6f16422b361c
---

 libavcodec/hnm4video.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavcodec/hnm4video.c b/libavcodec/hnm4video.c
index bb827df..d8c51d0 100644
--- a/libavcodec/hnm4video.c
+++ b/libavcodec/hnm4video.c
@@ -311,8 +311,13 @@ static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src,
             offset  = writeoffset;
             offset += bytestream2_get_le16(&gb);
 
-            if (delta)
+            if (delta) {
+                if (offset < 0x10000) {
+                    av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
+                    break;
+                }
                 offset -= 0x10000;
+            }
 
             if (offset + hnm->width + count >= hnm->width * hnm->height) {
                 av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");



More information about the ffmpeg-cvslog mailing list