From 3583c8706df0abbfa3ecdd6730f4f3d72a01fe6d Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Thu, 22 Mar 2012 23:43:37 +0100
Subject: vqavideodev: Check image dimensions

Fixes out of heap array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/vqavideo.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'libavcodec/vqavideo.c')

diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index 85725ccc87..5c864c2ab1 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -164,6 +164,11 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx)
     if (!s->next_codebook_buffer)
         goto fail;
 
+    if (s->width % s->vector_width || s->height % s->vector_height) {
+        av_log(avctx, AV_LOG_ERROR, "Picture dimensions are not a multiple of the vector size\n");
+        goto fail;
+    }
+
     /* allocate decode buffer */
     s->decode_buffer_size = (s->width / s->vector_width) *
         (s->height / s->vector_height) * 2;
-- 
cgit v1.2.1