| Message ID | 1379358389-64839-5-git-send-email-martin@martin.st |
|---|---|
| State | Superseded |
| Headers | show |
On 16 September 2013 12:06, Martin Storsjö <martin@martin.st> wrote: > Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind > CC: libav-stable@libav.org > --- > libavcodec/rv10.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c > index 0d3b648..a73ebfe 100644 > --- a/libavcodec/rv10.c > +++ b/libavcodec/rv10.c > @@ -432,6 +432,10 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx) > av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n"); > return AVERROR_INVALIDDATA; > } > + if (avctx->coded_width <= 0 || avctx->coded_height <= 0) { > + av_log(avctx, AV_LOG_ERROR, "Invalid picture dimensions\n"); > + return AVERROR_INVALIDDATA; > + } > Looks OK, is there a maximum dimension?
On Mon, 16 Sep 2013, Josh Allmann wrote: > On 16 September 2013 12:06, Martin Storsjö <martin@martin.st> wrote: >> Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind >> CC: libav-stable@libav.org >> --- >> libavcodec/rv10.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c >> index 0d3b648..a73ebfe 100644 >> --- a/libavcodec/rv10.c >> +++ b/libavcodec/rv10.c >> @@ -432,6 +432,10 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx) >> av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n"); >> return AVERROR_INVALIDDATA; >> } >> + if (avctx->coded_width <= 0 || avctx->coded_height <= 0) { >> + av_log(avctx, AV_LOG_ERROR, "Invalid picture dimensions\n"); >> + return AVERROR_INVALIDDATA; >> + } >> > > Looks OK, is there a maximum dimension? No idea, but that normally should be caught by e.g. allocations of frames failing, unless there's some other reason to limit it (e.g. avoiding arithmetic overflow somewhere or so). // Martin
On Tue, Sep 17, 2013 at 11:24:57AM +0300, Martin Storsjö wrote: > On Mon, 16 Sep 2013, Josh Allmann wrote: > > >On 16 September 2013 12:06, Martin Storsjö <martin@martin.st> wrote: > >>Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind > >>CC: libav-stable@libav.org > >>--- > >> libavcodec/rv10.c | 4 ++++ > >> 1 file changed, 4 insertions(+) > >> > >>diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c > >>index 0d3b648..a73ebfe 100644 > >>--- a/libavcodec/rv10.c > >>+++ b/libavcodec/rv10.c > >>@@ -432,6 +432,10 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx) > >> av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n"); > >> return AVERROR_INVALIDDATA; > >> } > >>+ if (avctx->coded_width <= 0 || avctx->coded_height <= 0) { > >>+ av_log(avctx, AV_LOG_ERROR, "Invalid picture dimensions\n"); > >>+ return AVERROR_INVALIDDATA; > >>+ } > >> > > > >Looks OK, is there a maximum dimension? > > No idea, but that normally should be caught by e.g. allocations of > frames failing, unless there's some other reason to limit it (e.g. > avoiding arithmetic overflow somewhere or so). we have av_image_check_size()
diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 0d3b648..a73ebfe 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -432,6 +432,10 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n"); return AVERROR_INVALIDDATA; } + if (avctx->coded_width <= 0 || avctx->coded_height <= 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid picture dimensions\n"); + return AVERROR_INVALIDDATA; + } ff_MPV_decode_defaults(s);