virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00
Code Issues Releases Activity

vp56: error out on invalid stream dimensions.

Browse Source 
Prevents crashes when playing corrupt vp5/6 streams.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
This commit is contained in:
Ronald S. Bultje 2012-02-23 11:19:33 -08:00
parent bb6d5411e1
commit 8bc396fc0e
2 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
libavcodec/vp5.c
View File

@ -57,6 +57,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size,
} }
rows = vp56_rac_gets(c, 8); /* number of stored macroblock rows */ rows = vp56_rac_gets(c, 8); /* number of stored macroblock rows */
cols = vp56_rac_gets(c, 8); /* number of stored macroblock cols */ cols = vp56_rac_gets(c, 8); /* number of stored macroblock cols */
if (!rows || !cols) {
av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n",
cols << 4, rows << 4);
return 0;
}
vp56_rac_gets(c, 8); /* number of displayed macroblock rows */ vp56_rac_gets(c, 8); /* number of displayed macroblock rows */
vp56_rac_gets(c, 8); /* number of displayed macroblock cols */ vp56_rac_gets(c, 8); /* number of displayed macroblock cols */
vp56_rac_gets(c, 2); vp56_rac_gets(c, 2);

6
libavcodec/vp6.c
View File

@ -77,6 +77,10 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size,
cols = buf[3]; /* number of stored macroblock cols */ cols = buf[3]; /* number of stored macroblock cols */
/* buf[4] is number of displayed macroblock rows */ /* buf[4] is number of displayed macroblock rows */
/* buf[5] is number of displayed macroblock cols */ /* buf[5] is number of displayed macroblock cols */
if (!rows || !cols) {
av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", cols << 4, rows << 4);
return 0;
}
if (!s->macroblocks || /* first frame */ if (!s->macroblocks || /* first frame */
16*cols != s->avctx->coded_width || 16*cols != s->avctx->coded_width ||
@ -97,7 +101,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size,
vrt_shift = 5; vrt_shift = 5;
s->sub_version = sub_version; s->sub_version = sub_version;
} else { } else {
if (!s->sub_version) if (!s->sub_version || !s->avctx->coded_width || !s->avctx->coded_height)
return 0; return 0;
if (separated_coeff || !s->filter_header) { if (separated_coeff || !s->filter_header) {