From 04f80ed3f81a31ed0ae90a1314c6adbdbbf70133 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 6 May 2015 15:34:53 +0200 Subject: [PATCH] diracdec: check that block length is valid In init_planes p->xblen and p->yblen are set to: p->xblen = s->plane[0].xblen >> s->chroma_x_shift; p->yblen = s->plane[0].yblen >> s->chroma_y_shift; These are later used as block_w and block_h arguments of s->vdsp.emulated_edge_mc. If one of them is 0 it triggers an av_assert2 in emulated_edge_mc: av_assert2(start_x < end_x && block_w > 0); av_assert2(start_y < end_y && block_h > 0); Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 75fc81c8318505aa7946e05a9bee08d47241fc66) Signed-off-by: Andreas Cadhalpun --- libavcodec/diracdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 18e596a1fd..b821d469e1 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -902,6 +902,14 @@ static int dirac_unpack_prediction_parameters(DiracContext *s) /*[DIRAC_STD] 11.2.4 motion_data_dimensions() Calculated in function dirac_unpack_block_motion_data */ + if (s->plane[0].xblen % (1 << s->chroma_x_shift) != 0 || + s->plane[0].yblen % (1 << s->chroma_y_shift) != 0 || + !s->plane[0].xblen || !s->plane[0].yblen) { + av_log(s->avctx, AV_LOG_ERROR, + "invalid x/y block length (%d/%d) for x/y chroma shift (%d/%d)\n", + s->plane[0].xblen, s->plane[0].yblen, s->chroma_x_shift, s->chroma_y_shift); + return AVERROR_INVALIDDATA; + } if (!s->plane[0].xbsep || !s->plane[0].ybsep || s->plane[0].xbsep < s->plane[0].xblen/2 || s->plane[0].ybsep < s->plane[0].yblen/2) { av_log(s->avctx, AV_LOG_ERROR, "Block separation too small\n"); return -1;