diff options
author | Mans Rullgard <mans@mansr.com> | 2012-04-23 13:16:33 +0100 |
---|---|---|
committer | Mans Rullgard <mans@mansr.com> | 2012-05-03 21:40:19 +0100 |
commit | 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3 (patch) | |
tree | ab9d3fb92027411a3e60c82edf4973a748ce3390 | |
parent | e5356ebf2216918ad6351d4caa8b58c881c4b0ea (diff) | |
download | ffmpeg-58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3.tar.gz |
vqavideo: return error if image size is not a multiple of block size
The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes. Bailing out early if the header
specifies a bad size avoids various errors later on.
Fixes CVE-2012-0947.
Signed-off-by: Mans Rullgard <mans@mansr.com>
-rw-r--r-- | libavcodec/vqavideo.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 9cca3e743d..dc58b60004 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -151,6 +151,12 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) return -1; } + if (s->width & (s->vector_width - 1) || + s->height & (s->vector_height - 1)) { + av_log(avctx, AV_LOG_ERROR, "Image size not multiple of block size\n"); + return AVERROR_INVALIDDATA; + } + /* allocate codebooks */ s->codebook_size = MAX_CODEBOOK_SIZE; s->codebook = av_malloc(s->codebook_size); |