theora: check that pix fmt is valid, fix null ptr deref

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

theora: check that pix fmt is valid, fix null ptr deref
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
d1493d2c · Michael Niedermayer · 9eef41b8 · d1493d2c
Commit d1493d2c authored Nov 12, 2012 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

vp3.c libavcodec/vp3.c +6 -1

No files found.
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -2175,6 +2175,10 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb)
    {
        skip_bits(gb, 5); /* keyframe frequency force */
        avctx->pix_fmt = theora_pix_fmts[get_bits(gb, 2)];
+        if (avctx->pix_fmt == AV_PIX_FMT_NONE) {
+            av_log(avctx, AV_LOG_ERROR, "Invalid pixel format\n");
+            return AVERROR_INVALIDDATA;
+        }
        skip_bits(gb, 3); /* reserved */
    }

@@ -2349,7 +2353,8 @@ static av_cold int theora_decode_init(AVCodecContext *avctx)
    switch(ptype)
    {
        case 0x80:
-            theora_decode_header(avctx, &gb);
+            if (theora_decode_header(avctx, &gb) < 0)
+                return -1;
                break;
        case 0x81:
 // FIXME: is this needed? it breaks sometimes