[FFmpeg-cvslog] avcodec/diracdec: Check numx/y

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer <michael at niedermayer.cc> | Sat Aug 20 19:21:07 2016 +0200| [33ec0280f38ae6852b2447656bc0214e77abf6ef] | committer: Michael Niedermayer

avcodec/diracdec: Check numx/y

Fixes division by 0
Fixes: 60261c4469ba3e11059890fb2832a515/asan_generic_135e694_2790_beb94eaa0aeb7d11c0437375a8964a99.drc

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit a31e08fa1aa5c5f0518b8af850f28eb945268e66)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=33ec0280f38ae6852b2447656bc0214e77abf6ef
---

 libavcodec/diracdec.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index ea16007..dc56356 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1031,6 +1031,13 @@ static int dirac_unpack_idwt_params(DiracContext *s)
         /*[DIRAC_STD] 11.3.4 Slice coding Parameters (low delay syntax only). slice_parameters() */
         s->lowdelay.num_x     = svq3_get_ue_golomb(gb);
         s->lowdelay.num_y     = svq3_get_ue_golomb(gb);
+        if (s->lowdelay.num_x * s->lowdelay.num_y == 0 ||
+            s->lowdelay.num_x * (uint64_t)s->lowdelay.num_y > INT_MAX) {
+            av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n");
+            s->lowdelay.num_x = s->lowdelay.num_y = 0;
+            return AVERROR_INVALIDDATA;
+        }
+
         s->lowdelay.bytes.num = svq3_get_ue_golomb(gb);
         s->lowdelay.bytes.den = svq3_get_ue_golomb(gb);