From aa0dd52434768da64f1f3d8ae92bcf980c1adffc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Storsj=C3=B6?= <martin@martin.st>
Date: Sun, 29 Sep 2013 01:04:05 +0300
Subject: xxan: Disallow odd width
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Decoded data is always written in pairs within this decoder.
This fixes writes out of bounds.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
---
 libavcodec/xxan.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'libavcodec')

diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c
index 2bc9ff6..05ce7ff 100644
--- a/libavcodec/xxan.c
+++ b/libavcodec/xxan.c
@@ -50,6 +50,10 @@ static av_cold int xan_decode_init(AVCodecContext *avctx)
         av_log(avctx, AV_LOG_ERROR, "Invalid frame height: %d.\n", avctx->height);
         return AVERROR(EINVAL);
     }
+    if (avctx->width & 1) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid frame width: %d.\n", avctx->width);
+        return AVERROR(EINVAL);
+    }
 
     s->buffer_size = avctx->width * avctx->height;
     s->y_buffer = av_malloc(s->buffer_size);
-- 
cgit v1.1