File 0001-avcodec-exr-Check-tile-positions.patch of Package ffmpeg.6568

From 01aee8148d4fa439cce678a11f5110656c98de1f* Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 17 Aug 2016 21:22:29 +0200
Subject: [PATCH] avcodec/exr: Check tile positions
X-Desc: Backport attempt to 2.8.8 by jengelh@inai.de
References: CVE-2016-6920
References: https://bugzilla.suse.com/show_bug.cgi?id=998636

This also disabled the case of mixed x/ymin with tiles, the code
handles these cases inconsistent for the 2 coordinate axis and is
unlikely working correctly.

Fixes crash
Fixes: poc1.exr, poc2.exr

Found-by: Yaoguang Chen of Aliapy unLimit Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/exr.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

Index: ffmpeg-2.8.8/libavcodec/exr.c
===================================================================
--- ffmpeg-2.8.8.orig/libavcodec/exr.c
+++ ffmpeg-2.8.8/libavcodec/exr.c
@@ -836,7 +836,8 @@ static int decode_block(AVCodecContext *
     uint32_t xdelta = s->xdelta;
     uint16_t *ptr_x;
     uint8_t *ptr;
-    uint32_t data_size, line;
+    uint32_t data_size;
+    uint64_t line, col = 0;
     const uint8_t *src;
     int axmax = (avctx->width - (s->xmax + 1)) * 2 * s->desc->nb_components;
     int bxmin = s->xmin * 2 * s->desc->nb_components;
@@ -849,9 +850,15 @@ static int decode_block(AVCodecContext *
     if (line_offset > buf_size - 8)
         return AVERROR_INVALIDDATA;
 
+    if (s->xmin || s->ymin) {
+        avpriv_report_missing_feature(s->avctx, "Tiles with xmin/ymin");
+        return AVERROR_PATCHWELCOME;
+    }
+
     src  = buf + line_offset + 8;
     line = AV_RL32(src - 8);
-    if (line < s->ymin || line > s->ymax)
+    if (line < s->ymin || line > s->ymax ||
+        col  < s->xmin || col  > s->xmax)
         return AVERROR_INVALIDDATA;
 
     data_size = AV_RL32(src - 4);
openSUSE Build Service is sponsored by