avcodec/magicyuv: reject slice_height misaligned with chroma vshift

Fixes: poc_magicyuv.avi
Fixes: out of array access

Found-by: Ori Hollander of the JFrog Vulnerability Research team
(cherry picked from commit 374b726ffa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Ori Hollander
2026-06-13 14:55:37 +02:00
committed by Michael Niedermayer
co-authored by Michael Niedermayer
parent 5aacf46a53
commit 922ef1fa41
+7
View File
@@ -570,6 +570,13 @@ static int magy_decode_frame(AVCodecContext *avctx, AVFrame *p,
"invalid slice height: %d\n", s->slice_height);
return AVERROR_INVALIDDATA;
}
if (s->vshift[1] && (s->slice_height & ((1 << s->vshift[1]) - 1))) {
av_log(avctx, AV_LOG_ERROR,
"slice_height %d is not aligned to chroma vertical "
"subsampling (must be a multiple of %d)\n",
s->slice_height, 1 << s->vshift[1]);
return AVERROR_INVALIDDATA;
}
bytestream2_skipu(&gb, 4);