aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLaurent Aimar <fenrir@videolan.org>2011-09-24 23:16:18 +0200
committerMichael Niedermayer <michaelni@gmx.at>2011-09-24 23:42:49 +0200
commite7aed1280ea14b60fceae04d71dfd03e1daf2d04 (patch)
treedae4a06610ce32e2994252154d3447730acd9cfd
parent00cbe9e4053fd562b6f21e76aca6636ff926b637 (diff)
downloadffmpeg-e7aed1280ea14b60fceae04d71dfd03e1daf2d04.tar.gz
Check for invalid update parameters in vmd video decoder.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavcodec/vmdav.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c
index 77e0432610..202cbc4504 100644
--- a/libavcodec/vmdav.c
+++ b/libavcodec/vmdav.c
@@ -204,6 +204,16 @@ static void vmd_decode(VmdVideoContext *s)
frame_y = AV_RL16(&s->buf[8]);
frame_width = AV_RL16(&s->buf[10]) - frame_x + 1;
frame_height = AV_RL16(&s->buf[12]) - frame_y + 1;
+ if (frame_x < 0 || frame_width < 0 ||
+ frame_x >= s->avctx->width ||
+ frame_width > s->avctx->width ||
+ frame_x + frame_width > s->avctx->width)
+ return;
+ if (frame_y < 0 || frame_height < 0 ||
+ frame_y >= s->avctx->height ||
+ frame_height > s->avctx->height ||
+ frame_y + frame_height > s->avctx->height)
+ return;
if ((frame_width == s->avctx->width && frame_height == s->avctx->height) &&
(frame_x || frame_y)) {