utvideodec: Handle slice_height being zero

Message ID 20150308235127.B9B8F5DDF8@aruru.libav.org
State New
Headers show

Commit Message

Janne Grunau March 8, 2015, 11:51 p.m.
Module: libav
Branch: master
Commit: 0ce3a0f9d9523a9bcad4c6d451ca5bbd7a4f420d

Author:    Michael Niedermayer <michaelni@gmx.at>
Committer: Luca Barbato <lu_zero@gentoo.org>
Date:      Wed Mar  4 17:36:14 2015 +0000

utvideodec: Handle slice_height being zero

Fixes out of array accesses.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Bug-Id: CVE-2014-9604
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>

---

 libavcodec/utvideodec.c |    4 ++++
 1 file changed, 4 insertions(+)

Patch

diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 7d75c59..bb8c7aa 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -213,6 +213,8 @@  static void restore_median(uint8_t *src, int step, int stride,
         slice_start  = ((slice * height) / slices) & cmask;
         slice_height = ((((slice + 1) * height) / slices) & cmask) -
                        slice_start;
+        if (!slice_height)
+            continue;
 
         bsrc = src + slice_start * stride;
 
@@ -269,6 +271,8 @@  static void restore_median_il(uint8_t *src, int step, int stride,
         slice_height   = ((((slice + 1) * height) / slices) & cmask) -
                          slice_start;
         slice_height >>= 1;
+        if (!slice_height)
+            continue;
 
         bsrc = src + slice_start * stride;