1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-08 13:22:53 +02:00

avcodec/lcldec: Check that dimensions are a multiple of the subsample factors

Other dimensions would not work correctly currently,
also ask for a sample for files that fail this check.

This fixes an integer overflow leading to out of array
accesses.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2013-05-13 18:09:04 +02:00
parent b3c263e209
commit 1e00bbb10c

View File

@ -42,6 +42,7 @@
#include <stdlib.h>
#include "libavutil/mem.h"
#include "libavutil/pixdesc.h"
#include "avcodec.h"
#include "bytestream.h"
#include "internal.h"
@ -482,6 +483,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
unsigned int max_basesize = FFALIGN(avctx->width, 4) *
FFALIGN(avctx->height, 4);
unsigned int max_decomp_size;
int subsample_h, subsample_v;
if (avctx->extradata_size < 8) {
av_log(avctx, AV_LOG_ERROR, "Extradata size too small.\n");
@ -507,6 +509,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
max_decomp_size = max_basesize * 2;
avctx->pix_fmt = AV_PIX_FMT_YUV422P;
av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:2:2.\n");
if (avctx->width % 4) {
avpriv_request_sample(avctx, "Unsupported dimensions\n");
return AVERROR_INVALIDDATA;
}
break;
case IMGTYPE_RGB24:
c->decomp_size = basesize * 3;
@ -537,6 +543,12 @@ static av_cold int decode_init(AVCodecContext *avctx)
return AVERROR_INVALIDDATA;
}
av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &subsample_h, &subsample_v);
if (avctx->width % (1<<subsample_h) || avctx->height % (1<<subsample_v)) {
avpriv_request_sample(avctx, "Unsupported dimensions\n");
return AVERROR_INVALIDDATA;
}
/* Detect compression method */
c->compression = (int8_t)avctx->extradata[5];
switch (avctx->codec_id) {