[FFmpeg-cvslog] avcodec/ffv1dec: Limit golomb rice coded slices to width 8M
    Michael Niedermayer 
    git at videolan.org
       
    Wed Oct 12 15:46:03 EEST 2022
    
    
  
ffmpeg | branch: release/3.4 | Michael Niedermayer <michael at niedermayer.cc> | Sun Jul  3 13:31:19 2022 +0200| [f3e18932ffaad9b92384e27293ff95d495c6e3ec] | committer: Michael Niedermayer
avcodec/ffv1dec: Limit golomb rice coded slices to width 8M
This limit is possibly not reachable due to other restrictions on buffers but
the decoder run table is too small beyond this, so explicitly check for it.
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit b4431399ec1e10afff458cf1ffae2a75987d725a)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f3e18932ffaad9b92384e27293ff95d495c6e3ec
---
 libavcodec/ffv1dec.c | 3 +++
 1 file changed, 3 insertions(+)
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 68a06b1c5f..27f954bd52 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -188,6 +188,9 @@ static int decode_slice_header(FFV1Context *f, FFV1Context *fs)
          || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height)
         return -1;
 
+    if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23))
+        return AVERROR_INVALIDDATA;
+
     for (i = 0; i < f->plane_count; i++) {
         PlaneContext * const p = &fs->plane[i];
         int idx = get_symbol(c, state, 0);
    
    
More information about the ffmpeg-cvslog
mailing list