File 0001-avcodec-exr-Check-tile-positions.patch of Package ffmpeg.6568
From 01aee8148d4fa439cce678a11f5110656c98de1f* Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 17 Aug 2016 21:22:29 +0200
Subject: [PATCH] avcodec/exr: Check tile positions
X-Desc: Backport attempt to 2.8.8 by jengelh@inai.de
References: CVE-2016-6920
References: https://bugzilla.suse.com/show_bug.cgi?id=998636
This also disabled the case of mixed x/ymin with tiles, the code
handles these cases inconsistent for the 2 coordinate axis and is
unlikely working correctly.
Fixes crash
Fixes: poc1.exr, poc2.exr
Found-by: Yaoguang Chen of Aliapy unLimit Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/exr.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
Index: ffmpeg-2.8.8/libavcodec/exr.c
===================================================================
--- ffmpeg-2.8.8.orig/libavcodec/exr.c
+++ ffmpeg-2.8.8/libavcodec/exr.c
@@ -836,7 +836,8 @@ static int decode_block(AVCodecContext *
uint32_t xdelta = s->xdelta;
uint16_t *ptr_x;
uint8_t *ptr;
- uint32_t data_size, line;
+ uint32_t data_size;
+ uint64_t line, col = 0;
const uint8_t *src;
int axmax = (avctx->width - (s->xmax + 1)) * 2 * s->desc->nb_components;
int bxmin = s->xmin * 2 * s->desc->nb_components;
@@ -849,9 +850,15 @@ static int decode_block(AVCodecContext *
if (line_offset > buf_size - 8)
return AVERROR_INVALIDDATA;
+ if (s->xmin || s->ymin) {
+ avpriv_report_missing_feature(s->avctx, "Tiles with xmin/ymin");
+ return AVERROR_PATCHWELCOME;
+ }
+
src = buf + line_offset + 8;
line = AV_RL32(src - 8);
- if (line < s->ymin || line > s->ymax)
+ if (line < s->ymin || line > s->ymax ||
+ col < s->xmin || col > s->xmax)
return AVERROR_INVALIDDATA;
data_size = AV_RL32(src - 4);