[FFmpeg-cvslog] avcodec/lcldec: Check that dimensions are a multiple of the subsample factors

Michael Niedermayer git at videolan.org
Mon May 13 19:01:00 CEST 2013 

ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Mon May 13 18:09:04 2013 +0200| [1e00bbb10cbde3da03a1e744265ce6def9ae4c56] | committer: Michael Niedermayer

avcodec/lcldec: Check that dimensions are a multiple of the subsample factors

Other dimensions would not work correctly currently,
also ask for a sample for files that fail this check.

This fixes an integer overflow leading to out of array
accesses.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1e00bbb10cbde3da03a1e744265ce6def9ae4c56
---

 libavcodec/lcldec.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c
index 7948199..ad7ef91 100644
--- a/libavcodec/lcldec.c
+++ b/libavcodec/lcldec.c
@@ -42,6 +42,7 @@
 #include <stdlib.h>
 
 #include "libavutil/mem.h"
+#include "libavutil/pixdesc.h"
 #include "avcodec.h"
 #include "bytestream.h"
 #include "internal.h"
@@ -482,6 +483,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
     unsigned int max_basesize = FFALIGN(avctx->width,  4) *
                                 FFALIGN(avctx->height, 4);
     unsigned int max_decomp_size;
+    int subsample_h, subsample_v;
 
     if (avctx->extradata_size < 8) {
         av_log(avctx, AV_LOG_ERROR, "Extradata size too small.\n");
@@ -507,6 +509,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
         max_decomp_size = max_basesize * 2;
         avctx->pix_fmt = AV_PIX_FMT_YUV422P;
         av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:2:2.\n");
+        if (avctx->width % 4) {
+            avpriv_request_sample(avctx, "Unsupported dimensions\n");
+            return AVERROR_INVALIDDATA;
+        }
         break;
     case IMGTYPE_RGB24:
         c->decomp_size = basesize * 3;
@@ -537,6 +543,12 @@ static av_cold int decode_init(AVCodecContext *avctx)
         return AVERROR_INVALIDDATA;
     }
 
+    av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &subsample_h, &subsample_v);
+    if (avctx->width % (1<<subsample_h) || avctx->height % (1<<subsample_v)) {
+        avpriv_request_sample(avctx, "Unsupported dimensions\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     /* Detect compression method */
     c->compression = (int8_t)avctx->extradata[5];
     switch (avctx->codec_id) {

More information about the ffmpeg-cvslog mailing list