Stowage/ffmpeg
2
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2026-06-14 19:40:29 +00:00
Code Issues Projects Releases Packages Wiki Activity

avcodec/wmv2dec: More Checks about reading skip bits

Browse source 
Fixes: out of array read with --disable-safe-bitstream-reader
Fixes: poc_wmv2.avi

Note, this requires the safe bitstream reader to be turned off by the user and the user disregarding the security warning

Change suggested by: Guanni Qu <qguanni@gmail.com>
Found-by: Guanni Qu <qguanni@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f73849887c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2026-03-12 22:58:18 +01:00
parent 76d1257470
commit bdaee31e48
No known key found for this signature in database
GPG key ID: B18E8928B3948D64
1 changed files with 4 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
libavcodec/wmv2dec.c
View file

@ -131,6 +131,8 @@ static int parse_mb_skip(WMV2DecContext *w)
mb_type[mb_y * h->c.mb_stride + mb_x] =
MB_TYPE_SKIP | MB_TYPE_16x16 | MB_TYPE_FORWARD_MV;
} else {
if (get_bits_left(&h->gb) < h->c.mb_width)
return AVERROR_INVALIDDATA;
for (int mb_x = 0; mb_x < h->c.mb_width; mb_x++)
mb_type[mb_y * h->c.mb_stride + mb_x] =
(get_bits1(&h->gb) ? MB_TYPE_SKIP : 0) | MB_TYPE_16x16 | MB_TYPE_FORWARD_MV;
@ -146,6 +148,8 @@ static int parse_mb_skip(WMV2DecContext *w)
mb_type[mb_y * h->c.mb_stride + mb_x] =
MB_TYPE_SKIP | MB_TYPE_16x16 | MB_TYPE_FORWARD_MV;
} else {
if (get_bits_left(&h->gb) < h->c.mb_height)
return AVERROR_INVALIDDATA;
for (int mb_y = 0; mb_y < h->c.mb_height; mb_y++)
mb_type[mb_y * h->c.mb_stride + mb_x] =
(get_bits1(&h->gb) ? MB_TYPE_SKIP : 0) | MB_TYPE_16x16 | MB_TYPE_FORWARD_MV;