avformat/apngdec: validate frame dimensions.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Benoit Fouet <benoit.fouet@free.fr> 2014-11-26 10:12:18 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2014-11-26 23:51:07 +0100
commit: e2b8b4caf6c0ae2b6a49520c3766c40924f1cb2d (patch)
tree: fdaf757318bebe517d3cfc0e913d5610b72c1561 /libavformat/apngdec.c
parent: 345cfd04d093d9fdec81ea3531e73b1f5c1b6a6c (diff)
download: ffmpeg-e2b8b4caf6c0ae2b6a49520c3766c40924f1cb2d.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c
index 8aa70a0333..276d7659d8 100644
--- a/libavformat/apngdec.c
+++ b/libavformat/apngdec.c
@@ -301,7 +301,11 @@ static int decode_fctl_chunk(AVFormatContext *s, APNGDemuxContext *ctx, AVPacket
         height != s->streams[0]->codec->height ||
         x_offset != 0 ||
         y_offset != 0) {
-        if (sequence_number == 0)
+        if (sequence_number == 0 ||
+            x_offset >= s->streams[0]->codec->width ||
+            width > s->streams[0]->codec->width - x_offset ||
+            y_offset >= s->streams[0]->codec->height ||
+            height > s->streams[0]->codec->height - y_offset)
             return AVERROR_INVALIDDATA;
         ctx->is_key_frame = 0;
     } else {
author	Benoit Fouet <benoit.fouet@free.fr>	2014-11-26 10:12:18 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2014-11-26 23:51:07 +0100
commit	e2b8b4caf6c0ae2b6a49520c3766c40924f1cb2d (patch)
tree	fdaf757318bebe517d3cfc0e913d5610b72c1561 /libavformat/apngdec.c
parent	345cfd04d093d9fdec81ea3531e73b1f5c1b6a6c (diff)
download	ffmpeg-e2b8b4caf6c0ae2b6a49520c3766c40924f1cb2d.tar.gz