vqavideodev: Check image dimensions

Fixes out of heap array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3583c8706df0abbfa3ecdd6730f4f3d72a01fe6d) Independently-Found-by: Fabian Yamaguchi Fixes: CVE-2012-0947 Conflicts: libavcodec/vqavideo.c
author: Michael Niedermayer <michaelni@gmx.at> 2012-03-22 23:43:37 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2012-05-03 00:22:32 +0200
commit: 1ee1e9e43ff35c3d3f0e36c6f3f2e604179d2c73 (patch)
tree: 1cb53dd939e47c1d0da9ff9e94a818057875bcf2
parent: 15e9aee544f0ff2b556cff1fa87e4c348b861991 (diff)
download: ffmpeg-1ee1e9e43ff35c3d3f0e36c6f3f2e604179d2c73.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index 08d419dd73..d5182ed853 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -160,6 +160,11 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx)
     s->codebook = av_malloc(s->codebook_size);
     s->next_codebook_buffer = av_malloc(s->codebook_size);
 
+    if (s->width % s->vector_width || s->height % s->vector_height) {
+        av_log(avctx, AV_LOG_ERROR, "Picture dimensions are not a multiple of the vector size\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     /* initialize the solid-color vectors */
     if (s->vector_height == 4) {
         codebook_index = 0xFF00 * 16;
author	Michael Niedermayer <michaelni@gmx.at>	2012-03-22 23:43:37 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2012-05-03 00:22:32 +0200
commit	1ee1e9e43ff35c3d3f0e36c6f3f2e604179d2c73 (patch)
tree	1cb53dd939e47c1d0da9ff9e94a818057875bcf2
parent	15e9aee544f0ff2b556cff1fa87e4c348b861991 (diff)
download	ffmpeg-1ee1e9e43ff35c3d3f0e36c6f3f2e604179d2c73.tar.gz