From f45da79b2c336c5f8f3e563d72b8a22fecdcde0c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Aug 2025 10:35:15 +0200 Subject: [PATCH] avcodec/exr: Dont access outside xsize/ysize Fixes: out of array access Fixes: BIGSLEEP-436510316/dwa_uncompress_write.exr Found-by: Google Big Sleep Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 504fea0aac..dea612a42b 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1127,6 +1127,8 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse float *yb = td->block[0]; float *ub = td->block[1]; float *vb = td->block[2]; + int bw = FFMIN(8, td->xsize - x); + int bh = FFMIN(8, td->ysize - y); memset(td->block, 0, sizeof(td->block)); @@ -1151,8 +1153,8 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse uint16_t *ro = ((uint16_t *)td->uncompressed_data) + y * td->xsize * s->nb_channels + td->xsize * (o + 2) + x; - for (int yy = 0; yy < 8; yy++) { - for (int xx = 0; xx < 8; xx++) { + for (int yy = 0; yy < bh; yy++) { + for (int xx = 0; xx < bw; xx++) { const int idx = xx + yy * 8; float b, g, r; @@ -1175,8 +1177,8 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse float *ro = ((float *)td->uncompressed_data) + y * td->xsize * s->nb_channels + td->xsize * (o + 2) + x; - for (int yy = 0; yy < 8; yy++) { - for (int xx = 0; xx < 8; xx++) { + for (int yy = 0; yy < bh; yy++) { + for (int xx = 0; xx < bw; xx++) { const int idx = xx + yy * 8; convert(yb[idx], ub[idx], vb[idx], &bo[xx], &go[xx], &ro[xx]);