ffmpeg-4/ffmpeg-CVE-2018-13305.patch

34 lines
1.5 KiB
Diff

From d08d4a8c7387e758d439b0592782e4cfa2b4d6a4 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Thu, 28 Jun 2018 23:46:32 +0200
Subject: [PATCH] avcodec/vc1_block: Fix mqaunt check for negative values
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: out of array access
Fixes: ffmpeg_bof_4.avi
Fixes: ffmpeg_bof_5.avi
Fixes: ffmpeg_bof_6.avi
Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart
Reviewed-by: Jerome Borsboom <jerome.borsboom@carpalis.nl>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/vc1_block.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: ffmpeg-4.0.2/libavcodec/vc1_block.c
===================================================================
--- ffmpeg-4.0.2.orig/libavcodec/vc1_block.c
+++ ffmpeg-4.0.2/libavcodec/vc1_block.c
@@ -188,7 +188,7 @@ static void vc1_put_signed_blocks_clampe
mquant = v->altpq; \
if ((edges&8) && s->mb_y == (s->mb_height - 1)) \
mquant = v->altpq; \
- if (!mquant || mquant > 31) { \
+ if (!mquant || mquant > 31 || mquant < -31) { \
av_log(v->s.avctx, AV_LOG_ERROR, \
"Overriding invalid mquant %d\n", mquant); \
mquant = 1; \