aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorAnton Khirnov <anton@khirnov.net>2016-08-14 10:18:39 +0200
committerAnton Khirnov <anton@khirnov.net>2016-08-18 17:06:46 +0200
commit6755eb5b212384e0599f7f2c5de42df49fff57de (patch)
tree5f62e4d0c6c93bb5e270dbf98be7e3689e91c3f6 /libavcodec
parent33f10546ec012ad4e1054b57317885cded7e953e (diff)
downloadffmpeg-6755eb5b212384e0599f7f2c5de42df49fff57de.tar.gz
mss12: validate display dimensions
The code currently reads the coded dimensions from the extradata, but expects the display dimensions to be set by the caller, and does not check that they are compatible (i.e. that the displayed size is smaller than the coded size). Make sure that when the display dimensions are set, they are also valid. Fixes possible invalid memory access. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/mss12.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/libavcodec/mss12.c b/libavcodec/mss12.c
index d4b621fc89..b9bda16766 100644
--- a/libavcodec/mss12.c
+++ b/libavcodec/mss12.c
@@ -588,6 +588,16 @@ av_cold int ff_mss12_decode_init(MSS12Context *c, int version,
avctx->coded_width, avctx->coded_height);
return AVERROR_INVALIDDATA;
}
+ if (avctx->width || avctx->height) {
+ if (avctx->width <= 0 || avctx->width > avctx->coded_width ||
+ avctx->height <= 0 || avctx->height > avctx->coded_height) {
+ av_log(avctx, AV_LOG_ERROR, "Invalid display dimensions\n");
+ return AVERROR_INVALIDDATA;
+ }
+ } else {
+ avctx->width = avctx->coded_width;
+ avctx->height = avctx->coded_height;
+ }
av_log(avctx, AV_LOG_DEBUG, "Encoder version %"PRIu32".%"PRIu32"\n",
AV_RB32(avctx->extradata + 4), AV_RB32(avctx->extradata + 8));