Fixes out of heap array read
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3583c8706df0abbfa3ecdd6730f4f3d72a01fe6d)
Independently-Found-by: Fabian Yamaguchi
Fixes: CVE-2012-0947
Conflicts:
libavcodec/vqavideo.c
... | ... |
@@ -164,6 +164,11 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) |
164 | 164 |
s->codebook = av_malloc(s->codebook_size); |
165 | 165 |
s->next_codebook_buffer = av_malloc(s->codebook_size); |
166 | 166 |
|
167 |
+ if (s->width % s->vector_width || s->height % s->vector_height) { |
|
168 |
+ av_log(avctx, AV_LOG_ERROR, "Picture dimensions are not a multiple of the vector size\n"); |
|
169 |
+ return AVERROR_INVALIDDATA; |
|
170 |
+ } |
|
171 |
+ |
|
167 | 172 |
/* initialize the solid-color vectors */ |
168 | 173 |
if (s->vector_height == 4) { |
169 | 174 |
codebook_index = 0xFF00 * 16; |