indeo5: check tile size in decode_mb_info().

This prevents writing into a too small array if some parameters changed without the tile being reallocated. Fixes CVE-2012-2794 CC:libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <anton@khirnov.net>

indeo5: check tile size in decode_mb_info().
This prevents writing into a too small array if some parameters changed without the tile being reallocated. Fixes CVE-2012-2794 CC:libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <anton@khirnov.net>
2d09cdba · Michael Niedermayer · Anton Khirnov · e4d40443 · 2d09cdba
Commit 2d09cdba authored Apr 15, 2012 by Michael Niedermayer Committed by Anton Khirnov Sep 29, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

indeo5.c libavcodec/indeo5.c +6 -0

No files found.
--- a/libavcodec/indeo5.c
+++ b/libavcodec/indeo5.c
@@ -430,6 +430,12 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band,
        ((band->qdelta_present && band->inherit_qdelta) || band->inherit_mv))
        return AVERROR_INVALIDDATA;
+    if (tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)) {
+        av_log(avctx, AV_LOG_ERROR, "Allocated tile size %d mismatches parameters %d\n",
+               tile->num_MBs, IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size));
+        return AVERROR_INVALIDDATA;
+    }
    /* scale factor for motion vectors */
    mv_scale = (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3);
    mv_x = mv_y = 0;