From a7153444df9040bf6ae103e0bbf6104b66f974cb Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sun, 3 Aug 2014 00:54:33 +0100
Subject: huffyuvdec: check width size for yuv422p

Avoid out of array accesses.

CC: libav-stable@libav.org
Bug-Id: CVE-2013-0848
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/huffyuvdec.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'libavcodec/huffyuvdec.c')

diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c
index dc99d19a62..d8f31d3dd7 100644
--- a/libavcodec/huffyuvdec.c
+++ b/libavcodec/huffyuvdec.c
@@ -341,6 +341,13 @@ static av_cold int decode_init(AVCodecContext *avctx)
         return AVERROR_INVALIDDATA;
     }
 
+    if (s->predictor == MEDIAN && avctx->pix_fmt == AV_PIX_FMT_YUV422P &&
+        avctx->width % 4) {
+        av_log(avctx, AV_LOG_ERROR, "width must be multiple of 4 "
+               "for this combination of colorspace and predictor type.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     if ((ret = ff_huffyuv_alloc_temp(s)) < 0)
         return ret;
 
-- 
cgit v1.2.3