[FFmpeg-cvslog] avcodec/diracdec: Check numx/y

Michael Niedermayer git at videolan.org
Thu Aug 25 05:21:44 EEST 2016


ffmpeg | branch: release/3.1 | Michael Niedermayer <michael at niedermayer.cc> | Sat Aug 20 19:21:07 2016 +0200| [049d7677156af30ea34f5871df88846a8b9bc385] | committer: Michael Niedermayer

avcodec/diracdec: Check numx/y

Fixes division by 0
Fixes: 60261c4469ba3e11059890fb2832a515/asan_generic_135e694_2790_beb94eaa0aeb7d11c0437375a8964a99.drc

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit a31e08fa1aa5c5f0518b8af850f28eb945268e66)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=049d7677156af30ea34f5871df88846a8b9bc385
---

 libavcodec/diracdec.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index c473e87..769dac3 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1153,6 +1153,11 @@ static int dirac_unpack_idwt_params(DiracContext *s)
     else {
         s->num_x        = get_interleaved_ue_golomb(gb);
         s->num_y        = get_interleaved_ue_golomb(gb);
+        if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX) {
+            av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n");
+            s->num_x = s->num_y = 0;
+            return AVERROR_INVALIDDATA;
+        }
         if (s->ld_picture) {
             s->lowdelay.bytes.num = get_interleaved_ue_golomb(gb);
             s->lowdelay.bytes.den = get_interleaved_ue_golomb(gb);



More information about the ffmpeg-cvslog mailing list