[FFmpeg-devel] [PATCH] vp8: check for too large dimensions
Michael Niedermayer
michaelni at gmx.at
Sun Jun 7 17:38:12 CEST 2015
On Sun, Jun 07, 2015 at 04:05:37PM +0200, Andreas Cadhalpun wrote:
> If the dimensions are too large, s->mb_width or s->mb_height can become
> too large, leading to an int16_t overflow of s->mv_max.{x,y}.
>
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
> libavcodec/vp8.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c
> index dbba568..69cf138 100644
> --- a/libavcodec/vp8.c
> +++ b/libavcodec/vp8.c
> @@ -145,6 +145,8 @@ static VP8Frame *vp8_find_free_buffer(VP8Context *s)
> return frame;
> }
>
> +#define MARGIN (16 << 2)
> +#define MAX_MB_SIZE (((INT16_MAX - MARGIN) >> 6) + 1)
> static av_always_inline
> int update_dimensions(VP8Context *s, int width, int height, int is_vp7)
> {
> @@ -160,6 +162,13 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7)
> return ret;
> }
>
> + if (s->avctx->coded_width > MAX_MB_SIZE * 16 ||
> + s->avctx->coded_height > MAX_MB_SIZE * 16) {
> + av_log(s->avctx, AV_LOG_ERROR, "too large dimensions %dx%d\n",
> + s->avctx->coded_width, s->avctx->coded_height);
> + return AVERROR_INVALIDDATA;
iam not sure this should be AVERROR_INVALIDDATA or PATCHWELCOME
but this patch or clamping the MV min/max to the 16bit range to avoid
overflows should be ok.
thanks
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Its not that you shouldnt use gotos but rather that you should write
readable code and code with gotos often but not always is less readable
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150607/89c497ae/attachment.asc>
More information about the ffmpeg-devel
mailing list