[12/18] mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory

Message ID 1379358389-64839-12-git-send-email-martin@martin.st
State Committed
Commit f875a732e36786d49f3650e3235272891a820600
Headers show

Commit Message

Martin Storsjö Sept. 16, 2013, 7:06 p.m.
This avoids a potential division by zero.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
---
 libavcodec/mpeg4videodec.c |   12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

Comments

Luca Barbato Sept. 16, 2013, 9:39 p.m. | #1
On 16/09/13 21:06, Martin Storsjö wrote:
> This avoids a potential division by zero.
> 
> Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> CC: libav-stable@libav.org
> ---
>  libavcodec/mpeg4videodec.c |   12 +++++++++---
>  1 file changed, 9 insertions(+), 3 deletions(-)
> 

Ok.

Patch

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index ca937da..8760ab7 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -154,7 +154,7 @@  static inline int mpeg4_is_resync(MpegEncContext *s){
     return 0;
 }
 
-static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb)
+static int mpeg4_decode_sprite_trajectory(MpegEncContext *s, GetBitContext *gb)
 {
     int i;
     int a= 2<<s->sprite_warping_accuracy;
@@ -170,6 +170,9 @@  static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb
     int h= s->height;
     int min_ab;
 
+    if (w <= 0 || h <= 0)
+        return AVERROR_INVALIDDATA;
+
     for(i=0; i<s->num_sprite_warping_points; i++){
         int length;
         int x=0, y=0;
@@ -342,6 +345,7 @@  static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb
         }
         s->real_sprite_warping_points= s->num_sprite_warping_points;
     }
+    return 0;
 }
 
 /**
@@ -416,7 +420,8 @@  int ff_mpeg4_decode_video_packet_header(MpegEncContext *s)
             skip_bits(&s->gb, 3); /* intra dc vlc threshold */
 //FIXME don't just ignore everything
             if(s->pict_type == AV_PICTURE_TYPE_S && s->vol_sprite_usage==GMC_SPRITE){
-                mpeg4_decode_sprite_trajectory(s, &s->gb);
+                if (mpeg4_decode_sprite_trajectory(s, &s->gb) < 0)
+                    return AVERROR_INVALIDDATA;
                 av_log(s->avctx, AV_LOG_ERROR, "untested\n");
             }
 
@@ -2031,7 +2036,8 @@  static int decode_vop_header(MpegEncContext *s, GetBitContext *gb){
      }
 
      if(s->pict_type == AV_PICTURE_TYPE_S && (s->vol_sprite_usage==STATIC_SPRITE || s->vol_sprite_usage==GMC_SPRITE)){
-         mpeg4_decode_sprite_trajectory(s, gb);
+         if (mpeg4_decode_sprite_trajectory(s, gb) < 0)
+             return AVERROR_INVALIDDATA;
          if(s->sprite_brightness_change) av_log(s->avctx, AV_LOG_ERROR, "sprite_brightness_change not supported\n");
          if(s->vol_sprite_usage==STATIC_SPRITE) av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n");
      }