[FFmpeg-cvslog] vqavideo: return error if image size is not a multiple of block size

Mans Rullgard git at videolan.org
Mon Jun 4 13:07:43 CEST 2012


ffmpeg | branch: release/0.8 | Mans Rullgard <mans at mansr.com> | Mon Apr 23 13:16:33 2012 +0100| [c71c77e56fcc6d469d45e1c8ce04aa053124d3f8] | committer: Reinhard Tartler

vqavideo: return error if image size is not a multiple of block size

The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes.  Bailing out early if the header
specifies a bad size avoids various errors later on.

Fixes CVE-2012-0947.

Signed-off-by: Mans Rullgard <mans at mansr.com>
(cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>
(cherry picked from commit d5207e2af81580dd5e6277b354c8b459c3624f26)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c71c77e56fcc6d469d45e1c8ce04aa053124d3f8
---

 libavcodec/vqavideo.c |    6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index caffddb..81b08d1 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -155,6 +155,12 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx)
         return -1;
     }
 
+    if (s->width  & (s->vector_width  - 1) ||
+        s->height & (s->vector_height - 1)) {
+        av_log(avctx, AV_LOG_ERROR, "Image size not multiple of block size\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     /* allocate codebooks */
     s->codebook_size = MAX_CODEBOOK_SIZE;
     s->codebook = av_malloc(s->codebook_size);



More information about the ffmpeg-cvslog mailing list