From e70d202275bf93c6f0d480937a8230d45c343561 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Thu, 22 Mar 2012 23:43:37 +0100
Subject: [PATCH] vqavideodev: Check image dimensions
Fixes out of heap array read
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3583c8706df0abbfa3ecdd6730f4f3d72a01fe6d)
Independently-Found-by: Fabian Yamaguchi
Fixes: CVE-2012-0947
Conflicts:
libavcodec/vqavideo.c
---
libavcodec/vqavideo.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index 917e04b..727354d 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -164,6 +164,11 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx)
s->codebook = av_malloc(s->codebook_size);
s->next_codebook_buffer = av_malloc(s->codebook_size);
+ if (s->width % s->vector_width || s->height % s->vector_height) {
+ av_log(avctx, AV_LOG_ERROR, "Picture dimensions are not a multiple of the vector size\n");
+ return AVERROR_INVALIDDATA;
+ }
+
/* initialize the solid-color vectors */
if (s->vector_height == 4) {
codebook_index = 0xFF00 * 16;
--
1.7.10
distrib
>
Mageia
>
2
>
i586
>
media
>
tainted-updates-src
>
by-pkgid
>
7a134bd674544f422355a2d8ca563354
>
files
>
3
