From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 14 Nov 2015 00:36:22 +0000 (+0100)
Subject: avcodec/ivi: Check image dimensions
X-Git-Tag: archive/raspbian/6%11.12-1_deb8u6+rpi1^2~36
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=c5f2d324c525d55da6b697a9e5d1c5cf7a6fcd23;p=libav.git

avcodec/ivi: Check image dimensions

avcodec/ivi: Check image dimensions

Fixes integer overflow
Fixes: 1e32c6c591d940337c20b197ec1c4d3d/asan_heap-oob_4a52e5_8946_0bb0d9e863def56005e49f1d89bdc94d.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Gbp-Pq: Name CVE-2015-8364.patch
---

diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c
index 7c4d53e..9ff5cfa 100644
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -30,6 +30,7 @@
 
 #define BITSTREAM_READER_LE
 #include "libavutil/attributes.h"
+#include "libavutil/imgutils.h"
 #include "libavutil/timer.h"
 #include "avcodec.h"
 #include "get_bits.h"
@@ -312,7 +313,7 @@ av_cold int ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg,
 
     ivi_free_buffers(planes);
 
-    if (cfg->pic_width < 1 || cfg->pic_height < 1 ||
+    if (av_image_check_size(cfg->pic_width, cfg->pic_height, 0, NULL) < 0 ||
         cfg->luma_bands < 1 || cfg->chroma_bands < 1)
         return AVERROR_INVALIDDATA;