diff options
| author | Ronald S. Bultje <rsbultje@gmail.com> | 2012-02-23 11:19:33 -0800 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2012-02-29 14:23:11 +0100 |
| commit | b2dcac7141a2fb72074679efbefcb4d8bef24c41 (patch) | |
| tree | 747f1e40f4a1e8d2394b789ae0ad61ad8595df8c /libavcodec | |
| parent | 40ccc811461c2c5f7999200315f9e2a563807147 (diff) | |
| download | ffmpeg-b2dcac7141a2fb72074679efbefcb4d8bef24c41.tar.gz | |
vp56: error out on invalid stream dimensions.
Prevents crashes when playing corrupt vp5/6 streams.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 8bc396fc0e8769a056375c1c211f389ce0e3ecc5)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/vp5.c | 5 | ||||
| -rw-r--r-- | libavcodec/vp6.c | 6 |
2 files changed, 10 insertions, 1 deletions
diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 56f667cb63..1c6eaa9d42 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -57,6 +57,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, } rows = vp56_rac_gets(c, 8); /* number of stored macroblock rows */ cols = vp56_rac_gets(c, 8); /* number of stored macroblock cols */ + if (!rows || !cols) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", + cols << 4, rows << 4); + return 0; + } vp56_rac_gets(c, 8); /* number of displayed macroblock rows */ vp56_rac_gets(c, 8); /* number of displayed macroblock cols */ vp56_rac_gets(c, 2); diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 9433983be3..e4783c6e84 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -77,6 +77,10 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, cols = buf[3]; /* number of stored macroblock cols */ /* buf[4] is number of displayed macroblock rows */ /* buf[5] is number of displayed macroblock cols */ + if (!rows || !cols) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", cols << 4, rows << 4); + return 0; + } if (!s->macroblocks || /* first frame */ 16*cols != s->avctx->coded_width || @@ -97,7 +101,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, vrt_shift = 5; s->sub_version = sub_version; } else { - if (!s->sub_version) + if (!s->sub_version || !s->avctx->coded_width || !s->avctx->coded_height) return 0; if (separated_coeff || !s->filter_header) { |