[FFmpeg-cvslog] h264_ps: check croping values
Michael Niedermayer
git at videolan.org
Wed May 1 00:27:28 CEST 2013
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Tue Apr 30 23:48:53 2013 +0200| [c3bd306e78f9e3ca2f136f5b30cbe49fa0884f82] | committer: Michael Niedermayer
h264_ps: check croping values
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c3bd306e78f9e3ca2f136f5b30cbe49fa0884f82
---
libavcodec/h264_ps.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index 68f504a..6172fdd 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -463,6 +463,8 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
int crop_right = get_ue_golomb(&h->gb);
int crop_top = get_ue_golomb(&h->gb);
int crop_bottom = get_ue_golomb(&h->gb);
+ int width = 16 * sps->mb_width;
+ int height = 16 * sps->mb_height * (2 - sps->frame_mbs_only_flag);
if (h->avctx->flags2 & CODEC_FLAG2_IGNORE_CROP) {
av_log(h->avctx, AV_LOG_DEBUG, "discarding sps cropping, original "
@@ -487,6 +489,17 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
crop_left);
}
+ if (crop_left > (unsigned)INT_MAX / 4 / step_x ||
+ crop_right > (unsigned)INT_MAX / 4 / step_x ||
+ crop_top > (unsigned)INT_MAX / 4 / step_y ||
+ crop_bottom> (unsigned)INT_MAX / 4 / step_y ||
+ (crop_left + crop_right ) * step_x >= width ||
+ (crop_top + crop_bottom) * step_y >= height
+ ) {
+ av_log(h->avctx, AV_LOG_ERROR, "crop values invalid %d %d %d %d / %d %d\n", crop_left, crop_right, crop_top, crop_bottom, width, height);
+ goto fail;
+ }
+
sps->crop_left = crop_left * step_x;
sps->crop_right = crop_right * step_x;
sps->crop_top = crop_top * step_y;
More information about the ffmpeg-cvslog
mailing list