mmvideo: check frame dimensions

The frame size must be set by the caller and each dimension must be a multiple of 2. CC: libav-stable@libav.org Bug-ID: CVE-2014-8543 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 17ba719d9ba30c970f65747f42d5fbb1e447ca28) Signed-off-by: Anton Khirnov <anton@khirnov.net>
author: Anton Khirnov <anton@khirnov.net> 2014-12-14 21:01:59 +0100
committer: Anton Khirnov <anton@khirnov.net> 2014-12-20 10:51:41 +0100
commit: 69a930b988ff4f88ae27e4fc24ff6ed116840b5e (patch)
tree: 7767bb1834adc968f73276d70aafbf13a0c77f9b
parent: 55788572ea7b89cdd77bab1cf4bf06d14ead34f5 (diff)
download: ffmpeg-69a930b988ff4f88ae27e4fc24ff6ed116840b5e.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c
index d80c832a31..25124a3edf 100644
--- a/libavcodec/mmvideo.c
+++ b/libavcodec/mmvideo.c
@@ -61,6 +61,13 @@ static av_cold int mm_decode_init(AVCodecContext *avctx)
 
     avctx->pix_fmt = AV_PIX_FMT_PAL8;
 
+    if (!avctx->width || !avctx->height ||
+        (avctx->width & 1) || (avctx->height & 1)) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n",
+               avctx->width, avctx->height);
+        return AVERROR(EINVAL);
+    }
+
     s->frame = av_frame_alloc();
     if (!s->frame)
         return AVERROR(ENOMEM);
author	Anton Khirnov <anton@khirnov.net>	2014-12-14 21:01:59 +0100
committer	Anton Khirnov <anton@khirnov.net>	2014-12-20 10:51:41 +0100
commit	69a930b988ff4f88ae27e4fc24ff6ed116840b5e (patch)
tree	7767bb1834adc968f73276d70aafbf13a0c77f9b
parent	55788572ea7b89cdd77bab1cf4bf06d14ead34f5 (diff)
download	ffmpeg-69a930b988ff4f88ae27e4fc24ff6ed116840b5e.tar.gz