mirror of
https://git.ffmpeg.org/ffmpeg.git
synced 2024-09-20 05:16:38 +00:00
avcodec/g2meet: check tile dimensions to avoid integer overflow
Fixes out of array access
Fixes: asan_heap-oob_12a55d3_30_029.wmv
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 32e666c354
)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
parent
24d725f455
commit
1f636a697f
@ -736,8 +736,10 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data,
|
|||||||
}
|
}
|
||||||
c->tile_width = bytestream2_get_be32(&bc);
|
c->tile_width = bytestream2_get_be32(&bc);
|
||||||
c->tile_height = bytestream2_get_be32(&bc);
|
c->tile_height = bytestream2_get_be32(&bc);
|
||||||
if (!c->tile_width || !c->tile_height ||
|
if (c->tile_width <= 0 || c->tile_height <= 0 ||
|
||||||
((c->tile_width | c->tile_height) & 0xF)) {
|
((c->tile_width | c->tile_height) & 0xF) ||
|
||||||
|
c->tile_width * 4LL * c->tile_height >= INT_MAX
|
||||||
|
) {
|
||||||
av_log(avctx, AV_LOG_ERROR,
|
av_log(avctx, AV_LOG_ERROR,
|
||||||
"Invalid tile dimensions %dx%d\n",
|
"Invalid tile dimensions %dx%d\n",
|
||||||
c->tile_width, c->tile_height);
|
c->tile_width, c->tile_height);
|
||||||
|
Loading…
Reference in New Issue
Block a user