From e70d202275bf93c6f0d480937a8230d45c343561 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <michaelni@gmx.at> Date: Thu, 22 Mar 2012 23:43:37 +0100 Subject: [PATCH] vqavideodev: Check image dimensions Fixes out of heap array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3583c8706df0abbfa3ecdd6730f4f3d72a01fe6d) Independently-Found-by: Fabian Yamaguchi Fixes: CVE-2012-0947 Conflicts: libavcodec/vqavideo.c --- libavcodec/vqavideo.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 917e04b..727354d 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -164,6 +164,11 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) s->codebook = av_malloc(s->codebook_size); s->next_codebook_buffer = av_malloc(s->codebook_size); + if (s->width % s->vector_width || s->height % s->vector_height) { + av_log(avctx, AV_LOG_ERROR, "Picture dimensions are not a multiple of the vector size\n"); + return AVERROR_INVALIDDATA; + } + /* initialize the solid-color vectors */ if (s->vector_height == 4) { codebook_index = 0xFF00 * 16; -- 1.7.10