The frame size must be set by the caller and each dimension must be a
multiple of 2.
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8543
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit
17ba719d9ba30c970f65747f42d5fbb1e447ca28)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
avctx->pix_fmt = AV_PIX_FMT_PAL8;
+ if (!avctx->width || !avctx->height ||
+ (avctx->width & 1) || (avctx->height & 1)) {
+ av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n",
+ avctx->width, avctx->height);
+ return AVERROR(EINVAL);
+ }
+
s->frame = av_frame_alloc();
if (!s->frame)
return AVERROR(ENOMEM);