From 8bc396fc0e8769a056375c1c211f389ce0e3ecc5 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 23 Feb 2012 11:19:33 -0800 Subject: [PATCH] vp56: error out on invalid stream dimensions. Prevents crashes when playing corrupt vp5/6 streams. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org --- libavcodec/vp5.c | 5 +++++ libavcodec/vp6.c | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 999b183c7f..19079ffd0d 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -57,6 +57,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, } rows = vp56_rac_gets(c, 8); /* number of stored macroblock rows */ cols = vp56_rac_gets(c, 8); /* number of stored macroblock cols */ + if (!rows || !cols) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", + cols << 4, rows << 4); + return 0; + } vp56_rac_gets(c, 8); /* number of displayed macroblock rows */ vp56_rac_gets(c, 8); /* number of displayed macroblock cols */ vp56_rac_gets(c, 2); diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 75863a9b67..f6c7761f9d 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -77,6 +77,10 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, cols = buf[3]; /* number of stored macroblock cols */ /* buf[4] is number of displayed macroblock rows */ /* buf[5] is number of displayed macroblock cols */ + if (!rows || !cols) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", cols << 4, rows << 4); + return 0; + } if (!s->macroblocks || /* first frame */ 16*cols != s->avctx->coded_width || @@ -97,7 +101,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, vrt_shift = 5; s->sub_version = sub_version; } else { - if (!s->sub_version) + if (!s->sub_version || !s->avctx->coded_width || !s->avctx->coded_height) return 0; if (separated_coeff || !s->filter_header) {