aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>2015-05-06 15:34:53 +0200
committerMichael Niedermayer <michaelni@gmx.at>2015-05-21 20:43:37 +0200
commitb8568c546e185f9528e129d0620cac2f80403ad1 (patch)
tree9b9fd2b38ab88f2d3df0555fcd32b75cc26b75d6
parent7d58774360feb20339b68d6e955974f0d632afa4 (diff)
downloadffmpeg-b8568c546e185f9528e129d0620cac2f80403ad1.tar.gz
diracdec: check that block length is valid
In init_planes p->xblen and p->yblen are set to: p->xblen = s->plane[0].xblen >> s->chroma_x_shift; p->yblen = s->plane[0].yblen >> s->chroma_y_shift; These are later used as block_w and block_h arguments of s->vdsp.emulated_edge_mc. If one of them is 0 it triggers an av_assert2 in emulated_edge_mc: av_assert2(start_x < end_x && block_w > 0); av_assert2(start_y < end_y && block_h > 0); Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 75fc81c8318505aa7946e05a9bee08d47241fc66) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavcodec/diracdec.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 966c358786..1bfe6be0a4 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -899,6 +899,14 @@ static int dirac_unpack_prediction_parameters(DiracContext *s)
/*[DIRAC_STD] 11.2.4 motion_data_dimensions()
Calculated in function dirac_unpack_block_motion_data */
+ if (s->plane[0].xblen % (1 << s->chroma_x_shift) != 0 ||
+ s->plane[0].yblen % (1 << s->chroma_y_shift) != 0 ||
+ !s->plane[0].xblen || !s->plane[0].yblen) {
+ av_log(s->avctx, AV_LOG_ERROR,
+ "invalid x/y block length (%d/%d) for x/y chroma shift (%d/%d)\n",
+ s->plane[0].xblen, s->plane[0].yblen, s->chroma_x_shift, s->chroma_y_shift);
+ return AVERROR_INVALIDDATA;
+ }
if (!s->plane[0].xbsep || !s->plane[0].ybsep || s->plane[0].xbsep < s->plane[0].xblen/2 || s->plane[0].ybsep < s->plane[0].yblen/2) {
av_log(s->avctx, AV_LOG_ERROR, "Block separation too small\n");
return -1;