From: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Date: Thu, 5 Dec 2019 16:27:00 +0000 (+0000)
Subject: CVE-2017-17127
X-Git-Tag: archive/raspbian/6%11.12-1_deb8u9+rpi1^2~2
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=5ff3d30a85f72233d227ce012b7593902cf8fcae;p=libav.git

CVE-2017-17127

commit ccce723c6d0ea1ea89ea6c47160a07d37cdeeba2
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Nov 14 17:34:37 2012 +0100

    vc1dec: check first field slices, fix out of array read.

    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>


Gbp-Pq: Name CVE-2017-17127.patch
---

diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c
index 2032b46..2570354 100644
--- a/libavcodec/vc1dec.c
+++ b/libavcodec/vc1dec.c
@@ -6072,8 +6072,13 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
             s->start_mb_y = (i == 0) ? 0 : FFMAX(0, slices[i-1].mby_start % mb_height);
             if (!v->field_mode || v->second_field)
                 s->end_mb_y = (i == n_slices     ) ? mb_height : FFMIN(mb_height, slices[i].mby_start % mb_height);
-            else
+            else {
+                if (i >= n_slices) {
+                    av_log(v->s.avctx, AV_LOG_ERROR, "first field slice count too large\n");
+                    continue;
+                }
                 s->end_mb_y = (i <= n_slices1 + 1) ? mb_height : FFMIN(mb_height, slices[i].mby_start % mb_height);
+            }
 
             if (s->end_mb_y <= s->start_mb_y) {
                 av_log(v->s.avctx, AV_LOG_ERROR, "Invalid slice size\n");