Module: libav Branch: release/0.8 Commit: 69337117482e2e39de81b097fb44156a56cbea9d
Author: Luca Barbato <[email protected]> Committer: Diego Biurrun <[email protected]> Date: Fri Jun 26 15:57:16 2015 +0200 h263: Always check both dimensions CC: [email protected] Found-By: [email protected] Bug-Id: CVE-2015-5479 (cherry picked from commit 0a49a62f998747cfa564d98d36a459fe70d3299b) Signed-off-by: Diego Biurrun <[email protected]> --- libavcodec/ituh263dec.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index ebbead4..8ed3a01 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -30,6 +30,7 @@ //#define DEBUG #include <limits.h> +#include "libavutil/imgutils.h" #include "libavutil/mathematics.h" #include "dsputil.h" #include "avcodec.h" @@ -868,7 +869,7 @@ end: /* most is hardcoded. should extend to handle all h263 streams */ int ff_h263_decode_picture_header(MpegEncContext *s) { - int format, width, height, i; + int format, width, height, i, ret; uint32_t startcode; align_get_bits(&s->gb); @@ -920,8 +921,6 @@ int ff_h263_decode_picture_header(MpegEncContext *s) /* H.263v1 */ width = ff_h263_format[format][0]; height = ff_h263_format[format][1]; - if (!width) - return -1; s->pict_type = AV_PICTURE_TYPE_I + get_bits1(&s->gb); @@ -1074,6 +1073,9 @@ int ff_h263_decode_picture_header(MpegEncContext *s) s->qscale = get_bits(&s->gb, 5); } + if ((ret = av_image_check_size(s->width, s->height, 0, s)) < 0) + return ret; + s->mb_width = (s->width + 15) / 16; s->mb_height = (s->height + 15) / 16; s->mb_num = s->mb_width * s->mb_height; _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
