dfa: check that the caller set width/height properly.

Fixes CVE-2012-2786. (cherry picked from commit ee715f49a06bf3898246d01b056284a9bb1bcbb9) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
author: Anton Khirnov <anton@khirnov.net> 2012-09-28 14:47:56 +0200
committer: Reinhard Tartler <siretart@tauware.de> 2013-01-04 07:43:37 +0100
commit: 4c849c69910c6c59ba57022ef28aaf70192a0e12 (patch)
tree: 26a17c22ecd32bdcf39d6869be040c77d44d6fb8
parent: 42c3a3719b055836291eec5765857872fb75a1f8 (diff)
download: ffmpeg-4c849c69910c6c59ba57022ef28aaf70192a0e12.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c
index 919375baf0..1cb97dc017 100644
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -23,6 +23,8 @@
 #include "avcodec.h"
 #include "libavutil/intreadwrite.h"
 #include "bytestream.h"
+
+#include "libavutil/imgutils.h"
 #include "libavutil/lzo.h" // for av_memcpy_backptr
 
 typedef struct DfaContext {
@@ -35,9 +37,13 @@ typedef struct DfaContext {
 static av_cold int dfa_decode_init(AVCodecContext *avctx)
 {
     DfaContext *s = avctx->priv_data;
+    int ret;
 
     avctx->pix_fmt = PIX_FMT_PAL8;
 
+    if ((ret = av_image_check_size(avctx->width, avctx->height, 0, avctx)) < 0)
+        return ret;
+
     s->frame_buf = av_mallocz(avctx->width * avctx->height + AV_LZO_OUTPUT_PADDING);
     if (!s->frame_buf)
         return AVERROR(ENOMEM);
author	Anton Khirnov <anton@khirnov.net>	2012-09-28 14:47:56 +0200
committer	Reinhard Tartler <siretart@tauware.de>	2013-01-04 07:43:37 +0100
commit	4c849c69910c6c59ba57022ef28aaf70192a0e12 (patch)
tree	26a17c22ecd32bdcf39d6869be040c77d44d6fb8
parent	42c3a3719b055836291eec5765857872fb75a1f8 (diff)
download	ffmpeg-4c849c69910c6c59ba57022ef28aaf70192a0e12.tar.gz