falkTX
/
FFmpeg
mirror of https://github.com/falkTX/FFmpeg.git
1
0
Fork 0
Code Issues 0 Releases 338 Wiki Activity
Browse Source

avcodec/dnxhddec: Move mb height check out of non hr branch 

Fixes: out of array access
Fixes: poc.dnxhd

Found-by: Bingchang, Liu@VARAS of IIE
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 296debd213)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
tags/n3.3.3
Michael Niedermayer 8 years ago
parent
2f75ebe24a
commit
47c0626ec7
1 changed files with 6 additions and 2 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +6
    -2
      libavcodec/dnxhddec.c

+ 6
- 2
libavcodec/dnxhddec.c View File

@@ -298,14 +298,18 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame,
if (ctx->mb_height > 68 && ff_dnxhd_check_header_prefix_hr(header_prefix)) { if (ctx->mb_height > 68 && ff_dnxhd_check_header_prefix_hr(header_prefix)) {
ctx->data_offset = 0x170 + (ctx->mb_height << 2); ctx->data_offset = 0x170 + (ctx->mb_height << 2);
} else { } else {
if (ctx->mb_height > 68 ||
(ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) {
if (ctx->mb_height > 68) {
av_log(ctx->avctx, AV_LOG_ERROR, av_log(ctx->avctx, AV_LOG_ERROR,
"mb height too big: %d\n", ctx->mb_height); "mb height too big: %d\n", ctx->mb_height);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
ctx->data_offset = 0x280; ctx->data_offset = 0x280;
} }
if ((ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) {
av_log(ctx->avctx, AV_LOG_ERROR,
"mb height too big: %d\n", ctx->mb_height);
return AVERROR_INVALIDDATA;
}


if (buf_size < ctx->data_offset) { if (buf_size < ctx->data_offset) {
av_log(ctx->avctx, AV_LOG_ERROR, av_log(ctx->avctx, AV_LOG_ERROR,


Write Preview
Loading…
Cancel
Save