avcodec/cfhd: Increase minimum band dimension to 3
authorMichael Niedermayer <michael@niedermayer.cc>
Fri, 19 Aug 2016 19:34:38 +0000 (21:34 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Fri, 19 Aug 2016 20:28:32 +0000 (22:28 +0200)
The implementation does not currently support len=2

Fixes out of array accesses
Fixes: 29d1b3db5ba2205e82b0b3a533e057a3/asan_heap-oob_12b650c_9254_3b8c4e4d931eb2c32841c18ebb297f1d.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/cfhd.c

index e8f859c..ef97b54 100644 (file)
@@ -320,7 +320,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
             s->plane[s->channel_num].band[0][0].width  = data;
             s->plane[s->channel_num].band[0][0].stride = data;
             av_log(avctx, AV_LOG_DEBUG, "Lowpass width %"PRIu16"\n", data);
-            if (data < 2 || data > s->plane[s->channel_num].band[0][0].a_width) {
+            if (data < 3 || data > s->plane[s->channel_num].band[0][0].a_width) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid lowpass width\n");
                 ret = AVERROR(EINVAL);
                 break;
@@ -328,7 +328,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
         } else if (tag == 28) {
             s->plane[s->channel_num].band[0][0].height = data;
             av_log(avctx, AV_LOG_DEBUG, "Lowpass height %"PRIu16"\n", data);
-            if (data < 2 || data > s->plane[s->channel_num].band[0][0].height) {
+            if (data < 3 || data > s->plane[s->channel_num].band[0][0].height) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid lowpass height\n");
                 ret = AVERROR(EINVAL);
                 break;
@@ -366,7 +366,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
             s->plane[s->channel_num].band[s->level][s->subband_num].width  = data;
             s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8);
             av_log(avctx, AV_LOG_DEBUG, "Highpass width %i channel %i level %i subband %i\n", data, s->channel_num, s->level, s->subband_num);
-            if (data < 2) {
+            if (data < 3) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid highpass width\n");
                 ret = AVERROR(EINVAL);
                 break;
@@ -374,7 +374,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
         } else if (tag == 42) {
             s->plane[s->channel_num].band[s->level][s->subband_num].height = data;
             av_log(avctx, AV_LOG_DEBUG, "Highpass height %i\n", data);
-            if (data < 2) {
+            if (data < 3) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid highpass height\n");
                 ret = AVERROR(EINVAL);
                 break;
@@ -383,7 +383,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
             s->plane[s->channel_num].band[s->level][s->subband_num].width  = data;
             s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8);
             av_log(avctx, AV_LOG_DEBUG, "Highpass width2 %i\n", data);
-            if (data < 2) {
+            if (data < 3) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid highpass width2\n");
                 ret = AVERROR(EINVAL);
                 break;
@@ -391,7 +391,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
         } else if (tag == 50) {
             s->plane[s->channel_num].band[s->level][s->subband_num].height = data;
             av_log(avctx, AV_LOG_DEBUG, "Highpass height2 %i\n", data);
-            if (data < 2) {
+            if (data < 3) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid highpass height2\n");
                 ret = AVERROR(EINVAL);
                 break;