avcodec/g2meet: check tile dimensions to avoid integer overflow

Fixes out of array access Fixes: asan_heap-oob_12a55d3_30_029.wmv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

avcodec/g2meet: check tile dimensions to avoid integer overflow
Fixes out of array access Fixes: asan_heap-oob_12a55d3_30_029.wmv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
32e666c3 · Michael Niedermayer · f0585541 · 32e666c3
Commit 32e666c3 authored Oct 30, 2014 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

g2meet.c libavcodec/g2meet.c +4 -2

No files found.
--- a/libavcodec/g2meet.c
+++ b/libavcodec/g2meet.c
@@ -736,8 +736,10 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data,
            }
            c->tile_width  = bytestream2_get_be32(&bc);
            c->tile_height = bytestream2_get_be32(&bc);
-            if (!c->tile_width || !c->tile_height ||
-                ((c->tile_width | c->tile_height) & 0xF)) {
+            if (c->tile_width <= 0 || c->tile_height <= 0 ||
+                ((c->tile_width | c->tile_height) & 0xF) ||
+                c->tile_width * 4LL * c->tile_height >= INT_MAX
+            ) {
                av_log(avctx, AV_LOG_ERROR,
                       "Invalid tile dimensions %dx%d\n",
                       c->tile_width, c->tile_height);