Re: [FFmpeg-devel] [PATCH] vp8: check for too large dimensions

Andreas Cadhalpun Sun, 07 Jun 2015 09:46:22 -0700

On 07.06.2015 17:38, Michael Niedermayer wrote:
> On Sun, Jun 07, 2015 at 04:05:37PM +0200, Andreas Cadhalpun wrote:
>> If the dimensions are too large, s->mb_width or s->mb_height can become
>> too large, leading to an int16_t overflow of s->mv_max.{x,y}.
>>
>> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
>> ---
>>  libavcodec/vp8.c | 10 +++++++++-
>>  1 file changed, 9 insertions(+), 1 deletion(-)
> 
> 
> 
>>
>> diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c
>> index dbba568..69cf138 100644
>> --- a/libavcodec/vp8.c
>> +++ b/libavcodec/vp8.c
>> @@ -145,6 +145,8 @@ static VP8Frame *vp8_find_free_buffer(VP8Context *s)
>>      return frame;
>>  }
>>  
>> +#define MARGIN (16 << 2)
>> +#define MAX_MB_SIZE (((INT16_MAX - MARGIN) >> 6) + 1)
>>  static av_always_inline
>>  int update_dimensions(VP8Context *s, int width, int height, int is_vp7)
>>  {
>> @@ -160,6 +162,13 @@ int update_dimensions(VP8Context *s, int width, int 
>> height, int is_vp7)
>>              return ret;
>>      }
>>  
>> +    if (s->avctx->coded_width  > MAX_MB_SIZE * 16 ||
>> +        s->avctx->coded_height > MAX_MB_SIZE * 16) {
>> +            av_log(s->avctx, AV_LOG_ERROR, "too large dimensions %dx%d\n",
>> +                   s->avctx->coded_width, s->avctx->coded_height);
>> +            return AVERROR_INVALIDDATA;
> 
> iam not sure this should be AVERROR_INVALIDDATA or PATCHWELCOME
> 
> but this patch or clamping the MV min/max to the 16bit range to avoid
> overflows should be ok.


AVERROR_PATCHWELCOME seems better. Updated patch attached.

Best regards,
Andreas

>From affc6e50db56dbdb5a7b45e9ddca2a4d361df3b4 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Sun, 7 Jun 2015 16:01:20 +0200
Subject: [PATCH] vp8: check for too large dimensions

If the dimensions are too large, s->mb_width or s->mb_height can become
too large, leading to an int16_t overflow of s->mv_max.{x,y}.

Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
 libavcodec/vp8.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c
index dbba568..98ec72d 100644
--- a/libavcodec/vp8.c
+++ b/libavcodec/vp8.c
@@ -145,6 +145,8 @@ static VP8Frame *vp8_find_free_buffer(VP8Context *s)
     return frame;
 }
 
+#define MARGIN (16 << 2)
+#define MAX_MB_SIZE (((INT16_MAX - MARGIN) >> 6) + 1)
 static av_always_inline
 int update_dimensions(VP8Context *s, int width, int height, int is_vp7)
 {
@@ -160,6 +162,14 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7)
             return ret;
     }
 
+    if (s->avctx->coded_width  > MAX_MB_SIZE * 16 ||
+        s->avctx->coded_height > MAX_MB_SIZE * 16) {
+            av_log(s->avctx, AV_LOG_ERROR,
+                   "large dimensions %dx%d not supported\n",
+                   s->avctx->coded_width, s->avctx->coded_height);
+            return AVERROR_PATCHWELCOME;
+        }
+
     s->mb_width  = (s->avctx->coded_width  + 15) / 16;
     s->mb_height = (s->avctx->coded_height + 15) / 16;
 
@@ -2177,7 +2187,6 @@ void filter_mb_simple(VP8Context *s, uint8_t *dst, VP8FilterStrength *f,
     }
 }
 
-#define MARGIN (16 << 2)
 static av_always_inline
 void vp78_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *curframe,
                                     VP8Frame *prev_frame, int is_vp7)
-- 
2.1.4

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Re: [FFmpeg-devel] [PATCH] vp8: check for too large dimensions

Reply via email to