vp56: error out on invalid stream dimensions.

Prevents crashes when playing corrupt vp5/6 streams. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 8bc396fc0e8769a056375c1c211f389ce0e3ecc5) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
author: Ronald S. Bultje <rsbultje@gmail.com> 2012-02-23 23:19:33 +0400
committer: Reinhard Tartler <siretart@tauware.de> 2012-04-01 20:33:27 +0400
commit: f28ec733798ceb2fc4a9c8a9c39c73e8d447310f (patch)
tree: 28d9f769c9f76f4b1f737428fb157f4cd80b64d7 /libavcodec
parent: a2d5e741a889bfed621e18a94ff266d49d280557 (diff)
2 files changed, 10 insertions, 1 deletions
diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c
index d61163e64c..2b975801d0 100644
--- a/libavcodec/vp5.c
+++ b/libavcodec/vp5.c
@@ -55,6 +55,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size,
         }
         rows = vp56_rac_gets(c, 8);  /* number of stored macroblock rows */
         cols = vp56_rac_gets(c, 8);  /* number of stored macroblock cols */
+        if (!rows || !cols) {
+            av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n",
+                   cols << 4, rows << 4);
+            return 0;
+        }
         vp56_rac_gets(c, 8);  /* number of displayed macroblock rows */
         vp56_rac_gets(c, 8);  /* number of displayed macroblock cols */
         vp56_rac_gets(c, 2);
diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c
index 02fe70bf7f..b0d8642465 100644
--- a/libavcodec/vp6.c
+++ b/libavcodec/vp6.c
@@ -75,6 +75,10 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size,
         cols = buf[3];  /* number of stored macroblock cols */
         /* buf[4] is number of displayed macroblock rows */
         /* buf[5] is number of displayed macroblock cols */
+        if (!rows || !cols) {
+            av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", cols << 4, rows << 4);
+            return 0;
+        }
 
         if (!s->macroblocks || /* first frame */
             16*cols != s->avctx->coded_width ||
@@ -95,7 +99,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size,
             vrt_shift = 5;
         s->sub_version = sub_version;
     } else {
-        if (!s->sub_version)
+        if (!s->sub_version || !s->avctx->coded_width || !s->avctx->coded_height)
             return 0;
 
         if (separated_coeff || !s->filter_header) {
author	Ronald S. Bultje <rsbultje@gmail.com>	2012-02-23 23:19:33 +0400
committer	Reinhard Tartler <siretart@tauware.de>	2012-04-01 20:33:27 +0400
commit	f28ec733798ceb2fc4a9c8a9c39c73e8d447310f (patch)
tree	28d9f769c9f76f4b1f737428fb157f4cd80b64d7 /libavcodec
parent	a2d5e741a889bfed621e18a94ff266d49d280557 (diff)