mmvideo: check frame dimensions

The frame size must be set by the caller and each dimension must be a
multiple of 2.

CC: libav-stable@libav.org
Bug-ID: CVE-2014-8543
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 17ba719d9ba30c970f65747f42d5fbb1e447ca28)
Signed-off-by: Anton Khirnov <anton@khirnov.net>

diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c
index d80c832..25124a3 100644 (file)
--- a/libavcodec/mmvideo.c
+++ b/libavcodec/mmvideo.c
@@ -61,6 +61,13 @@ static av_cold int mm_decode_init(AVCodecContext *avctx)
 
     avctx->pix_fmt = AV_PIX_FMT_PAL8;
 
+    if (!avctx->width || !avctx->height ||
+        (avctx->width & 1) || (avctx->height & 1)) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n",
+               avctx->width, avctx->height);
+        return AVERROR(EINVAL);
+    }
+
     s->frame = av_frame_alloc();
     if (!s->frame)
         return AVERROR(ENOMEM);