1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
commit ae49cc73f265a155e5c4b1715570aab3d9741b4d
Author: Michael Niedermayer <michael@niedermayer.cc>
Date: Mon Feb 26 03:02:48 2018 +0100
avcodec/utvideodec: Check subsample factors
Fixes: Out of array read
Fixes: heap_poc
Found-by: GwanYeong Kim <gy741.kim@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7414d0bda7763f9bd69c26c068e482ab297c1c96)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/utvideodec.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git libavcodec/utvideodec.c libavcodec/utvideodec.c
index d888cc3cdf..ebd9d55cf2 100644
--- libavcodec/utvideodec.c
+++ libavcodec/utvideodec.c
@@ -30,6 +30,7 @@
#define UNCHECKED_BITSTREAM_READER 1
#include "libavutil/intreadwrite.h"
+#include "libavutil/pixdesc.h"
#include "avcodec.h"
#include "bswapdsp.h"
#include "bytestream.h"
@@ -789,6 +790,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
static av_cold int decode_init(AVCodecContext *avctx)
{
UtvideoContext * const c = avctx->priv_data;
+ int h_shift, v_shift;
c->avctx = avctx;
@@ -886,6 +888,13 @@ static av_cold int decode_init(AVCodecContext *avctx)
return AVERROR_INVALIDDATA;
}
+ av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &h_shift, &v_shift);
+ if ((avctx->width & ((1<<h_shift)-1)) ||
+ (avctx->height & ((1<<v_shift)-1))) {
+ avpriv_request_sample(avctx, "Odd dimensions");
+ return AVERROR_PATCHWELCOME;
+ }
+
return 0;
}
|
