[FFmpeg-devel] [PATCH] vp8: check for too large dimensions
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Sun Jun 7 18:46:02 CEST 2015
On 07.06.2015 17:38, Michael Niedermayer wrote:
> On Sun, Jun 07, 2015 at 04:05:37PM +0200, Andreas Cadhalpun wrote:
>> If the dimensions are too large, s->mb_width or s->mb_height can become
>> too large, leading to an int16_t overflow of s->mv_max.{x,y}.
>>
>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
>> ---
>> libavcodec/vp8.c | 10 +++++++++-
>> 1 file changed, 9 insertions(+), 1 deletion(-)
>
>
>
>>
>> diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c
>> index dbba568..69cf138 100644
>> --- a/libavcodec/vp8.c
>> +++ b/libavcodec/vp8.c
>> @@ -145,6 +145,8 @@ static VP8Frame *vp8_find_free_buffer(VP8Context *s)
>> return frame;
>> }
>>
>> +#define MARGIN (16 << 2)
>> +#define MAX_MB_SIZE (((INT16_MAX - MARGIN) >> 6) + 1)
>> static av_always_inline
>> int update_dimensions(VP8Context *s, int width, int height, int is_vp7)
>> {
>> @@ -160,6 +162,13 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7)
>> return ret;
>> }
>>
>> + if (s->avctx->coded_width > MAX_MB_SIZE * 16 ||
>> + s->avctx->coded_height > MAX_MB_SIZE * 16) {
>> + av_log(s->avctx, AV_LOG_ERROR, "too large dimensions %dx%d\n",
>> + s->avctx->coded_width, s->avctx->coded_height);
>> + return AVERROR_INVALIDDATA;
>
> iam not sure this should be AVERROR_INVALIDDATA or PATCHWELCOME
>
> but this patch or clamping the MV min/max to the 16bit range to avoid
> overflows should be ok.
AVERROR_PATCHWELCOME seems better. Updated patch attached.
Best regards,
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-vp8-check-for-too-large-dimensions.patch
Type: text/x-diff
Size: 1809 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150607/166cc834/attachment.bin>
More information about the ffmpeg-devel
mailing list