vqavideo: return error if image size is not a multiple of block size

The decoder assumes in various places that the image size is a multiple of the block size, and there is no obvious way to support odd sizes. Bailing out early if the header specifies a bad size avoids various errors later on. Fixes CVE-2012-0947. Signed-off-by: Mans Rullgard <mans@mansr.com> (cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
author: Mans Rullgard <mans@mansr.com> 2012-04-23 13:16:33 +0100
committer: Reinhard Tartler <siretart@tauware.de> 2012-05-04 22:14:26 +0200
commit: d5207e2af81580dd5e6277b354c8b459c3624f26 (patch)
tree: fe3e9db11c8a1400b4120c6a777eaa63e410ba44 /libavcodec
parent: 9ea94c44b1b414ab3bc6e9220ebb77621423ca38 (diff)
download: ffmpeg-d5207e2af81580dd5e6277b354c8b459c3624f26.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index bc1ff27da4..4826650a6e 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -151,6 +151,12 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx)
         return -1;
     }
 
+    if (s->width  & (s->vector_width  - 1) ||
+        s->height & (s->vector_height - 1)) {
+        av_log(avctx, AV_LOG_ERROR, "Image size not multiple of block size\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     /* allocate codebooks */
     s->codebook_size = MAX_CODEBOOK_SIZE;
     s->codebook = av_malloc(s->codebook_size);
author	Mans Rullgard <mans@mansr.com>	2012-04-23 13:16:33 +0100
committer	Reinhard Tartler <siretart@tauware.de>	2012-05-04 22:14:26 +0200
commit	d5207e2af81580dd5e6277b354c8b459c3624f26 (patch)
tree	fe3e9db11c8a1400b4120c6a777eaa63e410ba44 /libavcodec
parent	9ea94c44b1b414ab3bc6e9220ebb77621423ca38 (diff)
download	ffmpeg-d5207e2af81580dd5e6277b354c8b459c3624f26.tar.gz