github-mirrors/FFmpeg
1
0
Fork 0
mirror of https://mirror.skon.top/https://github.com/FFmpeg/FFmpeg synced 2026-04-20 21:00:41 +08:00
Code Issues Packages Projects Releases Wiki Activity

avcodec/wmv2dec: More Checks about reading skip bits

Browse Source 
Fixes: out of array read with --disable-safe-bitstream-reader
Fixes: poc_wmv2.avi

Note, this requires the safe bitstream reader to be turned off by the user and the user disregarding the security warning

Change suggested by: Guanni Qu <qguanni@gmail.com>
Found-by: Guanni Qu <qguanni@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f73849887c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2026-03-12 22:58:18 +01:00
parent ca6e0ee7aa
commit b6faea362a
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
libavcodec/wmv2dec.c
View File

@@ -343,6 +343,8 @@ static int parse_mb_skip(WMV2DecContext *w)
mb_type[mb_y * h->c.mb_stride + mb_x] =
MB_TYPE_SKIP | MB_TYPE_16x16 | MB_TYPE_FORWARD_MV;
} else {
if (get_bits_left(&h->gb) < h->c.mb_width)
return AVERROR_INVALIDDATA;
for (int mb_x = 0; mb_x < h->c.mb_width; mb_x++)
mb_type[mb_y * h->c.mb_stride + mb_x] =
(get_bits1(&h->gb) ? MB_TYPE_SKIP : 0) | MB_TYPE_16x16 | MB_TYPE_FORWARD_MV;
@@ -358,6 +360,8 @@ static int parse_mb_skip(WMV2DecContext *w)
mb_type[mb_y * h->c.mb_stride + mb_x] =
MB_TYPE_SKIP | MB_TYPE_16x16 | MB_TYPE_FORWARD_MV;
} else {
if (get_bits_left(&h->gb) < h->c.mb_height)
return AVERROR_INVALIDDATA;
for (int mb_y = 0; mb_y < h->c.mb_height; mb_y++)
mb_type[mb_y * h->c.mb_stride + mb_x] =
(get_bits1(&h->gb) ? MB_TYPE_SKIP : 0) | MB_TYPE_16x16 | MB_TYPE_FORWARD_MV;