From cfa317f67d023443c8f097524b367ec9c48f5c81 Mon Sep 17 00:00:00 2001
From: Justin Ruggles <justin.ruggles@gmail.com>
Date: Fri, 16 Sep 2011 15:31:31 -0400
Subject: shorten: validate block size

---
 libavcodec/shorten.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

(limited to 'libavcodec/shorten.c')

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 2502587604..3f06e57084 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -330,8 +330,16 @@ static int read_header(ShortenContext *s)
 
     /* get blocksize if version > 0 */
     if (s->version > 0) {
-        int skip_bytes;
-        s->blocksize = get_uint(s, av_log2(DEFAULT_BLOCK_SIZE));
+        int skip_bytes, blocksize;
+
+        blocksize = get_uint(s, av_log2(DEFAULT_BLOCK_SIZE));
+        if (!blocksize || blocksize > MAX_BLOCKSIZE) {
+            av_log(s->avctx, AV_LOG_ERROR, "invalid or unsupported block size: %d\n",
+                   blocksize);
+            return AVERROR(EINVAL);
+        }
+        s->blocksize = blocksize;
+
         maxnlpc = get_uint(s, LPCQSIZE);
         s->nmean = get_uint(s, 0);
 
@@ -456,6 +464,11 @@ static int shorten_decode_frame(AVCodecContext *avctx,
                         av_log(avctx, AV_LOG_ERROR, "Increasing block size is not supported\n");
                         return AVERROR_PATCHWELCOME;
                     }
+                    if (!blocksize || blocksize > MAX_BLOCKSIZE) {
+                        av_log(avctx, AV_LOG_ERROR, "invalid or unsupported "
+                               "block size: %d\n", blocksize);
+                        return AVERROR(EINVAL);
+                    }
                     s->blocksize = blocksize;
                     break;
                 }
-- 
cgit v1.2.3