Re: [libav-devel] [PATCH] vp56: error out on invalid stream dimensions.

Tue, 28 Feb 2012 16:34:47 -0800 

On 02/23/2012 02:20 PM, Ronald S. Bultje wrote:

> From: "Ronald S. Bultje" <[email protected]>
> 
> Prevents crashes when playing corrupt vp5/6 streams.
> 
> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> CC: [email protected]
> ---
>  libavcodec/vp5.c |    5 +++++
>  libavcodec/vp6.c |    6 +++++-
>  2 files changed, 10 insertions(+), 1 deletions(-)
> 
> diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c
> index 999b183..19079ff 100644
> --- a/libavcodec/vp5.c
> +++ b/libavcodec/vp5.c
> @@ -57,6 +57,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t 
> *buf, int buf_size,
>          }
>          rows = vp56_rac_gets(c, 8);  /* number of stored macroblock rows */
>          cols = vp56_rac_gets(c, 8);  /* number of stored macroblock cols */
> +        if (!rows || !cols) {
> +            av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n",
> +                   cols << 4, rows << 4);
> +            return 0;
> +        }
>          vp56_rac_gets(c, 8);  /* number of displayed macroblock rows */
>          vp56_rac_gets(c, 8);  /* number of displayed macroblock cols */
>          vp56_rac_gets(c, 2);
> diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c
> index 75863a9..f6c7761 100644
> --- a/libavcodec/vp6.c
> +++ b/libavcodec/vp6.c
> @@ -77,6 +77,10 @@ static int vp6_parse_header(VP56Context *s, const uint8_t 
> *buf, int buf_size,
>          cols = buf[3];  /* number of stored macroblock cols */
>          /* buf[4] is number of displayed macroblock rows */
>          /* buf[5] is number of displayed macroblock cols */
> +        if (!rows || !cols) {
> +            av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", cols << 
> 4, rows << 4);
> +            return 0;
> +        }
>  
>          if (!s->macroblocks || /* first frame */
>              16*cols != s->avctx->coded_width ||
> @@ -97,7 +101,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t 
> *buf, int buf_size,
>              vrt_shift = 5;
>          s->sub_version = sub_version;
>      } else {
> -        if (!s->sub_version)
> +        if (!s->sub_version || !s->avctx->coded_width || 
> !s->avctx->coded_height)
>              return 0;
>  
>          if (separated_coeff || !s->filter_header) {


LGTM.

-Justin

_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to