From f97e28ebe5233f6520b161ab8dbbe937dda46dc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Fri, 7 Jun 2013 01:42:18 +0200 Subject: [PATCH] lavfi/lut3d: add sanity checks. Should fix CID1026775 and CID1026774. --- libavfilter/vf_lut3d.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_lut3d.c b/libavfilter/vf_lut3d.c index 7fc5ec1567..ef1365deaf 100644 --- a/libavfilter/vf_lut3d.c +++ b/libavfilter/vf_lut3d.c @@ -265,8 +265,8 @@ static int parse_cube(AVFilterContext *ctx, FILE *f) int i, j, k; const int size = strtol(line + 12, NULL, 0); - if (size > MAX_LEVEL) { - av_log(ctx, AV_LOG_ERROR, "Too large 3D LUT\n"); + if (size < 2 || size > MAX_LEVEL) { + av_log(ctx, AV_LOG_ERROR, "Too large or invalid 3D LUT size\n"); return AVERROR(EINVAL); } lut3d->lutsize = size; @@ -370,6 +370,12 @@ static int parse_m3d(AVFilterContext *ctx, FILE *f) av_log(ctx, AV_LOG_ERROR, "in and out must be defined\n"); return AVERROR_INVALIDDATA; } + if (in < 2 || out < 2 || + in > MAX_LEVEL*MAX_LEVEL*MAX_LEVEL || + out > MAX_LEVEL*MAX_LEVEL*MAX_LEVEL) { + av_log(ctx, AV_LOG_ERROR, "invalid in (%d) or out (%d)\n", in, out); + return AVERROR_INVALIDDATA; + } for (size = 1; size*size*size < in; size++); lut3d->lutsize = size; scale = 1. / (out - 1);