From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 4 Feb 2017 11:24:14 +0000 (+0100)
Subject: avcodec/pngdec: Check trns more completely
X-Git-Tag: archive/raspbian/6%11.12-1_deb8u7+rpi1^2~11
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=e5bcecfb3739ba390bb7eed4a6988a7247fc2902;p=libav.git

avcodec/pngdec: Check trns more completely

Fixes out of array access
Fixes: 546/clusterfuzz-testcase-4809433909559296

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

[sunweaver] ported to libav in Debian jessie LTS (which only supports palette based transparency).


Gbp-Pq: Name CVE-2017-7863.patch
---

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 1511403..40b783a 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -592,6 +592,16 @@ static int decode_frame(AVCodecContext *avctx,
         {
             int v, i;
 
+            if (!(s->state & PNG_IHDR)) {
+                av_log(avctx, AV_LOG_ERROR, "trns before IHDR\n");
+                return AVERROR_INVALIDDATA;
+            } 
+
+            if (s->state & PNG_IDAT) {
+                av_log(avctx, AV_LOG_ERROR, "trns after IDAT\n");
+                return AVERROR_INVALIDDATA;
+            }
+
             /* read the transparency. XXX: Only palette mode supported */
             if (s->color_type != PNG_COLOR_TYPE_PALETTE ||
                 length > 256 ||