Browse code
vqavideodev: Check image dimensions
Fixes out of heap array read
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3583c8706df0abbfa3ecdd6730f4f3d72a01fe6d)
Independently-Found-by: Fabian Yamaguchi
Fixes: CVE-2012-0947
Conflicts:
libavcodec/vqavideo.c
Michael Niedermayer authored on 2012/03/23 07:43:37Showing 1 changed files
| ... | ... |
@@ -164,6 +164,11 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) |
| 164 | 164 |
s->codebook = av_malloc(s->codebook_size); |
| 165 | 165 |
s->next_codebook_buffer = av_malloc(s->codebook_size); |
| 166 | 166 |
|
| 167 |
+ if (s->width % s->vector_width || s->height % s->vector_height) {
|
|
| 168 |
+ av_log(avctx, AV_LOG_ERROR, "Picture dimensions are not a multiple of the vector size\n"); |
|
| 169 |
+ return AVERROR_INVALIDDATA; |
|
| 170 |
+ } |
|
| 171 |
+ |
|
| 167 | 172 |
/* initialize the solid-color vectors */ |
| 168 | 173 |
if (s->vector_height == 4) {
|
| 169 | 174 |
codebook_index = 0xFF00 * 16; |