oggparsedaala: check number of planes in pixel format map

This fixes crashes caused by out-of-bounds writes. Reviewed-by: Rostislav Pehlivanov <atomnuker@gmail.com> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
author: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2015-12-29 16:38:26 +0100
committer: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2015-12-29 18:42:14 +0100
commit: b4466c9c1a82ce72011ed72e1221a30b15f73adb (patch)
tree: f5c72cf92187b0999bdcfc609c5e4e08eec7b714
parent: 4a44bc5588944cb8a81e0896bc97643e0c894989 (diff)
download: ffmpeg-b4466c9c1a82ce72011ed72e1221a30b15f73adb.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/libavformat/oggparsedaala.c b/libavformat/oggparsedaala.c
index dda8d70abd..24567f93a9 100644
--- a/libavformat/oggparsedaala.c
+++ b/libavformat/oggparsedaala.c
@@ -130,6 +130,12 @@ static int daala_header(AVFormatContext *s, int idx)
         hdr->fpr = bytestream2_get_byte(&gb);
 
         hdr->format.planes = bytestream2_get_byte(&gb);
+        if (hdr->format.planes > 4) {
+            av_log(s, AV_LOG_ERROR,
+                   "Invalid number of planes %d in daala pixel format map.\n",
+                   hdr->format.planes);
+            return AVERROR_INVALIDDATA;
+        }
         for (i = 0; i < hdr->format.planes; i++) {
             hdr->format.xdec[i] = bytestream2_get_byte(&gb);
             hdr->format.ydec[i] = bytestream2_get_byte(&gb);
author	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2015-12-29 16:38:26 +0100
committer	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2015-12-29 18:42:14 +0100
commit	b4466c9c1a82ce72011ed72e1221a30b15f73adb (patch)
tree	f5c72cf92187b0999bdcfc609c5e4e08eec7b714
parent	4a44bc5588944cb8a81e0896bc97643e0c894989 (diff)
download	ffmpeg-b4466c9c1a82ce72011ed72e1221a30b15f73adb.tar.gz