From 467e7a8f26e54c300ba494bf00033fec1078fa45 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Fri, 7 Jun 2013 20:36:48 +0200
Subject: avcodec/smvjpegdec: check that frames_per_jpeg cleanly divides height

Fixes out of array access

If some valid files fail this check then please open a ticket and ping me and the smvjpegdec maintainer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/smvjpegdec.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavcodec/smvjpegdec.c b/libavcodec/smvjpegdec.c
index 81ac08b180..efd2fa25d8 100644
--- a/libavcodec/smvjpegdec.c
+++ b/libavcodec/smvjpegdec.c
@@ -124,6 +124,7 @@ static av_cold int smvjpeg_decode_init(AVCodecContext *avctx)
 static int smvjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
                             AVPacket *avpkt)
 {
+    const AVPixFmtDescriptor *desc;
     SMVJpegDecodeContext *s = avctx->priv_data;
     AVFrame* mjpeg_data = s->picture[0];
     int i, cur_frame = 0, ret = 0;
@@ -134,6 +135,12 @@ static int smvjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_siz
     if (!cur_frame)
         ret = avcodec_decode_video2(s->avctx, mjpeg_data, &s->mjpeg_data_size, avpkt);
 
+    desc = av_pix_fmt_desc_get(s->avctx->pix_fmt);
+    if (desc && mjpeg_data->height % (s->frames_per_jpeg << desc->log2_chroma_h)) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid height\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     /*use the last lot... */
     *data_size = s->mjpeg_data_size;
 
-- 
cgit v1.2.3