CVE-2017-17127

commit ccce723c6d0ea1ea89ea6c47160a07d37cdeeba2
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Nov 14 17:34:37 2012 +0100

    vc1dec: check first field slices, fix out of array read.

    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2017-17127.patch

diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c
index 2032b461d79e6ad4df8748c52f8fe7c36bad0365..257035428542438d3f9bbafa308bf90b1c651581 100644 (file)
--- a/libavcodec/vc1dec.c
+++ b/libavcodec/vc1dec.c
@@ -6072,8 +6072,13 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
             s->start_mb_y = (i == 0) ? 0 : FFMAX(0, slices[i-1].mby_start % mb_height);
             if (!v->field_mode || v->second_field)
                 s->end_mb_y = (i == n_slices     ) ? mb_height : FFMIN(mb_height, slices[i].mby_start % mb_height);
-            else
+            else {
+                if (i >= n_slices) {
+                    av_log(v->s.avctx, AV_LOG_ERROR, "first field slice count too large\n");
+                    continue;
+                }
                 s->end_mb_y = (i <= n_slices1 + 1) ? mb_height : FFMIN(mb_height, slices[i].mby_start % mb_height);
+            }
 
             if (s->end_mb_y <= s->start_mb_y) {
                 av_log(v->s.avctx, AV_LOG_ERROR, "Invalid slice size\n");