Module: libav Branch: release/0.5 Commit: 468cc41d6d7bba97f67e9a6c8386ca98cde41190
Author: Mans Rullgard <[email protected]> Committer: Reinhard Tartler <[email protected]> Date: Mon Apr 23 13:16:33 2012 +0100 vqavideo: return error if image size is not a multiple of block size The decoder assumes in various places that the image size is a multiple of the block size, and there is no obvious way to support odd sizes. Bailing out early if the header specifies a bad size avoids various errors later on. Fixes CVE-2012-0947. Signed-off-by: Mans Rullgard <[email protected]> (cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3) Signed-off-by: Reinhard Tartler <[email protected]> (cherry picked from commit d5207e2af81580dd5e6277b354c8b459c3624f26) Signed-off-by: Reinhard Tartler <[email protected]> (cherry picked from commit c71c77e56fcc6d469d45e1c8ce04aa053124d3f8) Signed-off-by: Reinhard Tartler <[email protected]> (cherry picked from commit c90da45d5a7a4045dbf22fba52c63ef55d207269) Signed-off-by: Reinhard Tartler <[email protected]> --- libavcodec/vqavideo.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 00df736..f34a631 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -163,6 +163,12 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) return -1; } + if (s->width & (s->vector_width - 1) || + s->height & (s->vector_height - 1)) { + av_log(avctx, AV_LOG_ERROR, "Image size not multiple of block size\n"); + return AVERROR_INVALIDDATA; + } + /* allocate codebooks */ s->codebook_size = MAX_CODEBOOK_SIZE; s->codebook = av_malloc(s->codebook_size); _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
