diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-05-13 18:09:04 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-05-14 01:05:59 +0200 |
| commit | e32acc455db2e45e638a45b68984931321864956 (patch) | |
| tree | a82e563f6b43c154fd847cc1dc10b29f9526e165 /libavcodec | |
| parent | 6f2f754d97d9e98fa660cfab5f172983fb9b4730 (diff) | |
| download | ffmpeg-e32acc455db2e45e638a45b68984931321864956.tar.gz | |
avcodec/lcldec: Check that dimensions are a multiple of the subsample factors
Other dimensions would not work correctly currently,
also ask for a sample for files that fail this check.
This fixes an integer overflow leading to out of array
accesses.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1e00bbb10cbde3da03a1e744265ce6def9ae4c56)
Conflicts:
libavcodec/lcldec.c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/lcldec.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index f180373eae..2a4d61d180 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -41,6 +41,7 @@ #include <stdio.h> #include <stdlib.h> +#include "libavutil/pixdesc.h" #include "avcodec.h" #include "bytestream.h" #include "lcl.h" @@ -484,6 +485,7 @@ static av_cold int decode_init(AVCodecContext *avctx) unsigned int basesize = avctx->width * avctx->height; unsigned int max_basesize = FFALIGN(avctx->width, 4) * FFALIGN(avctx->height, 4) + AV_LZO_OUTPUT_PADDING; unsigned int max_decomp_size; + int subsample_h, subsample_v; avcodec_get_frame_defaults(&c->pic); if (avctx->extradata_size < 8) { @@ -510,6 +512,10 @@ static av_cold int decode_init(AVCodecContext *avctx) max_decomp_size = max_basesize * 2; avctx->pix_fmt = PIX_FMT_YUV422P; av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:2:2.\n"); + if (avctx->width % 4) { + av_log_ask_for_sample(avctx, "Unsupported dimensions\n"); + return AVERROR_INVALIDDATA; + } break; case IMGTYPE_RGB24: c->decomp_size = basesize * 3; @@ -540,6 +546,12 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } + avcodec_get_chroma_sub_sample(avctx->pix_fmt, &subsample_h, &subsample_v); + if (avctx->width % (1<<subsample_h) || avctx->height % (1<<subsample_v)) { + av_log_ask_for_sample(avctx, "Unsupported dimensions\n"); + return AVERROR_INVALIDDATA; + } + /* Detect compression method */ c->compression = (int8_t)avctx->extradata[5]; switch (avctx->codec_id) { |