x/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2026-06-24 05:33:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

avcodec/magicyuv: Expand the s->interlaced slice-height sanity check

Browse Source 
Fixes: poc_magicyuv.avi
Fixes: out of array access

Found-by: Ori Hollander of the JFrog Vulnerability Research team
(cherry picked from commit 5806e8b9f3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2026-06-14 04:40:54 +02:00
parent a991b3e110
commit e302bafe79
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libavcodec/magicyuv.c
+4 -4
View File
@@ -564,11 +564,11 @@ static int magy_decode_frame(AVCodecContext *avctx, AVFrame *p,
return AVERROR_INVALIDDATA;
}
if ((s->slice_height >> s->vshift[1]) <= s->interlaced) {
av_log(avctx, AV_LOG_ERROR, "impossible slice height\n");
return AVERROR_INVALIDDATA;
}
if (s->interlaced) {
if ((s->slice_height >> s->vshift[1]) < 2) {
av_log(avctx, AV_LOG_ERROR, "impossible slice height\n");
return AVERROR_INVALIDDATA;
}
if ((avctx->coded_height % s->slice_height) && ((avctx->coded_height % s->slice_height) >> s->vshift[1]) < 2) {
av_log(avctx, AV_LOG_ERROR, "impossible height\n");
return AVERROR_INVALIDDATA;