mirror of
https://git.ffmpeg.org/ffmpeg.git
synced 2026-07-04 02:23:20 +00:00
avcodec/magicyuv: reject slice_height misaligned with chroma vshift
Fixes: poc_magicyuv.avi
Fixes: out of array access
Found-by: Ori Hollander of the JFrog Vulnerability Research team
(cherry picked from commit 374b726ffa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
co-authored by
Michael Niedermayer
parent
5aacf46a53
commit
922ef1fa41
@@ -570,6 +570,13 @@ static int magy_decode_frame(AVCodecContext *avctx, AVFrame *p,
|
||||
"invalid slice height: %d\n", s->slice_height);
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
if (s->vshift[1] && (s->slice_height & ((1 << s->vshift[1]) - 1))) {
|
||||
av_log(avctx, AV_LOG_ERROR,
|
||||
"slice_height %d is not aligned to chroma vertical "
|
||||
"subsampling (must be a multiple of %d)\n",
|
||||
s->slice_height, 1 << s->vshift[1]);
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
|
||||
bytestream2_skipu(&gb, 4);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user