vqavideodev: Check image dimensions

Fixes out of heap array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3583c8706df0abbfa3ecdd6730f4f3d72a01fe6d) Independently-Found-by: Fabian Yamaguchi Fixes: CVE-2012-0947 Conflicts: libavcodec/vqavideo.c
author: Michael Niedermayer <michaelni@gmx.at> 2012-03-22 23:43:37 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2012-05-03 00:29:18 +0200
commit: e70d202275bf93c6f0d480937a8230d45c343561 (patch)
tree: d2e2bfd19a01b8572d40f2a55fb0e4e96575ed9b
parent: 9de0c8c60c37a522cbb7de57dca6c623152e4634 (diff)
download: ffmpeg-e70d202275bf93c6f0d480937a8230d45c343561.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index 917e04be47..727354defa 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -164,6 +164,11 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx)
     s->codebook = av_malloc(s->codebook_size);
     s->next_codebook_buffer = av_malloc(s->codebook_size);
 
+    if (s->width % s->vector_width || s->height % s->vector_height) {
+        av_log(avctx, AV_LOG_ERROR, "Picture dimensions are not a multiple of the vector size\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     /* initialize the solid-color vectors */
     if (s->vector_height == 4) {
         codebook_index = 0xFF00 * 16;
author	Michael Niedermayer <michaelni@gmx.at>	2012-03-22 23:43:37 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2012-05-03 00:29:18 +0200
commit	e70d202275bf93c6f0d480937a8230d45c343561 (patch)
tree	d2e2bfd19a01b8572d40f2a55fb0e4e96575ed9b
parent	9de0c8c60c37a522cbb7de57dca6c623152e4634 (diff)
download	ffmpeg-e70d202275bf93c6f0d480937a8230d45c343561.tar.gz