avcodec/hnm4video: check offset before subtraction in decode_interframe_v4a()

Fixes out of array read Fixes: signal_sigsegv_1326a09_1752_cov_245452111_GRTH301.HNS Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2014-02-03 03:10:46 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2014-02-03 03:11:48 +0100
commit: 4d7d9a57825ee7a6394d361b5c5b6f16422b361c (patch)
tree: 9051eeb3870b189c1bd51ed838817de58b82b8f1 /libavcodec/hnm4video.c
parent: 8e36fc0c33566cb6fcb6379595214e7f9b909f88 (diff)
download: ffmpeg-4d7d9a57825ee7a6394d361b5c5b6f16422b361c.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/libavcodec/hnm4video.c b/libavcodec/hnm4video.c
index bb827dfac3..d8c51d0b75 100644
--- a/libavcodec/hnm4video.c
+++ b/libavcodec/hnm4video.c
@@ -311,8 +311,13 @@ static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src,
             offset  = writeoffset;
             offset += bytestream2_get_le16(&gb);
 
-            if (delta)
+            if (delta) {
+                if (offset < 0x10000) {
+                    av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
+                    break;
+                }
                 offset -= 0x10000;
+            }
 
             if (offset + hnm->width + count >= hnm->width * hnm->height) {
                 av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
author	Michael Niedermayer <michaelni@gmx.at>	2014-02-03 03:10:46 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2014-02-03 03:11:48 +0100
commit	4d7d9a57825ee7a6394d361b5c5b6f16422b361c (patch)
tree	9051eeb3870b189c1bd51ed838817de58b82b8f1 /libavcodec/hnm4video.c
parent	8e36fc0c33566cb6fcb6379595214e7f9b909f88 (diff)
download	ffmpeg-4d7d9a57825ee7a6394d361b5c5b6f16422b361c.tar.gz