diff options
| author | Martin Storsjö <martin@martin.st> | 2013-09-16 20:40:13 +0300 |
|---|---|---|
| committer | Luca Barbato <lu_zero@gentoo.org> | 2013-10-04 03:26:26 +0200 |
| commit | c8c93795e4afd04c2c5b74e29e8dec29b6a76b81 (patch) | |
| tree | 347341d7aa99d535acba53e06a1c9f452c3dd125 | |
| parent | 38bd229af9c4fa5897fc1a69e73a04c55f78647f (diff) | |
| download | ffmpeg-c8c93795e4afd04c2c5b74e29e8dec29b6a76b81.tar.gz | |
mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory
This avoids a potential division by zero.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit f875a732e36786d49f3650e3235272891a820600)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
| -rw-r--r-- | libavcodec/mpeg4videodec.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index faa98668d9..7ff290c9e0 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -152,7 +152,7 @@ static inline int mpeg4_is_resync(MpegEncContext *s){ return 0; } -static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb) +static int mpeg4_decode_sprite_trajectory(MpegEncContext *s, GetBitContext *gb) { int i; int a= 2<<s->sprite_warping_accuracy; @@ -168,6 +168,9 @@ static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb int h= s->height; int min_ab; + if (w <= 0 || h <= 0) + return AVERROR_INVALIDDATA; + for(i=0; i<s->num_sprite_warping_points; i++){ int length; int x=0, y=0; @@ -340,6 +343,7 @@ static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb } s->real_sprite_warping_points= s->num_sprite_warping_points; } + return 0; } /** @@ -414,7 +418,8 @@ int ff_mpeg4_decode_video_packet_header(MpegEncContext *s) skip_bits(&s->gb, 3); /* intra dc vlc threshold */ //FIXME don't just ignore everything if(s->pict_type == AV_PICTURE_TYPE_S && s->vol_sprite_usage==GMC_SPRITE){ - mpeg4_decode_sprite_trajectory(s, &s->gb); + if (mpeg4_decode_sprite_trajectory(s, &s->gb) < 0) + return AVERROR_INVALIDDATA; av_log(s->avctx, AV_LOG_ERROR, "untested\n"); } @@ -2029,7 +2034,8 @@ static int decode_vop_header(MpegEncContext *s, GetBitContext *gb){ } if(s->pict_type == AV_PICTURE_TYPE_S && (s->vol_sprite_usage==STATIC_SPRITE || s->vol_sprite_usage==GMC_SPRITE)){ - mpeg4_decode_sprite_trajectory(s, gb); + if (mpeg4_decode_sprite_trajectory(s, gb) < 0) + return AVERROR_INVALIDDATA; if(s->sprite_brightness_change) av_log(s->avctx, AV_LOG_ERROR, "sprite_brightness_change not supported\n"); if(s->vol_sprite_usage==STATIC_SPRITE) av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); } |