avcodec/vp9: Fix stack-buffer overflow with VP9 VDPAU available

[ffmpeg] / libavcodec / clearvideo.c

diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c
index 0e3c772123111fc586aa5d2ad5cb2b0c97e9bd63..65bf1404016e1152c1718125455310eaee5a3e30 100644 (file)
--- a/libavcodec/clearvideo.c
+++ b/libavcodec/clearvideo.c
@@ -524,7 +524,7 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data,
             return AVERROR_INVALIDDATA;
         }
 
-        if ((ret = ff_reget_buffer(avctx, c->pic)) < 0)
+        if ((ret = ff_reget_buffer(avctx, c->pic, 0)) < 0)
             return ret;
 
         c->pic->key_frame = 1;
@@ -555,7 +555,10 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data,
     } else {
         int plane;
 
-        if ((ret = ff_reget_buffer(avctx, c->pic)) < 0)
+        if (c->pmb_width * c->pmb_height > 8LL*(buf_size - bytestream2_tell(&gb)))
+            return AVERROR_INVALIDDATA;
+
+        if ((ret = ff_reget_buffer(avctx, c->pic, 0)) < 0)
             return ret;
 
         ret = av_frame_copy(c->pic, c->prev);
@@ -570,6 +573,8 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data,
 
         for (j = 0; j < c->pmb_height; j++) {
             for (i = 0; i < c->pmb_width; i++) {
+                if (get_bits_left(&c->gb) <= 0)
+                    return AVERROR_INVALIDDATA;
                 if (get_bits1(&c->gb)) {
                     MV mv = mvi_predict(&c->mvi, i, j, zero_mv);
 
@@ -660,7 +665,7 @@ static av_cold int clv_decode_init(AVCodecContext *avctx)
     }
 
     c->tile_shift = av_log2(c->tile_size);
-    if (1 << c->tile_shift != c->tile_size) {
+    if (1U << c->tile_shift != c->tile_size) {
         av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2.\n", c->tile_size);
         return AVERROR_INVALIDDATA;
     }