[FFmpeg-cvslog] avcodec/vc1: Check for excessive resolution
Michael Niedermayer
git at videolan.org
Sat Sep 28 20:24:24 EEST 2019
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Thu Aug 8 19:30:50 2019 +0200| [181e138da7207523b387eabc28d24e74a46248bc] | committer: Michael Niedermayer
avcodec/vc1: Check for excessive resolution
Fixes: overflow in aspect ratio calculation
Fixes: signed integer overflow: 393215 * 14594 cannot be represented in type 'int'
Fixes: 15728/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3IMAGE_fuzzer-5661588893204480
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=181e138da7207523b387eabc28d24e74a46248bc
---
libavcodec/vc1.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c
index 42bfca55b1..13119bd0b3 100644
--- a/libavcodec/vc1.c
+++ b/libavcodec/vc1.c
@@ -451,7 +451,11 @@ static int decode_sequence_header_adv(VC1Context *v, GetBitContext *gb)
h = get_bits(gb, 8) + 1;
v->s.avctx->sample_aspect_ratio = (AVRational){w, h};
} else {
- av_reduce(&v->s.avctx->sample_aspect_ratio.num,
+ if (v->s.avctx->width > v->max_coded_width ||
+ v->s.avctx->height > v->max_coded_height) {
+ avpriv_request_sample(v->s.avctx, "Huge resolution");
+ } else
+ av_reduce(&v->s.avctx->sample_aspect_ratio.num,
&v->s.avctx->sample_aspect_ratio.den,
v->s.avctx->height * w,
v->s.avctx->width * h,
More information about the ffmpeg-cvslog
mailing list