Module: libav Branch: release/0.8 Commit: 2051adbfa008c06fb4c93256bc453924a4ea1a48
Author: Michael Niedermayer <[email protected]> Committer: Reinhard Tartler <[email protected]> Date: Sat Mar 24 02:40:24 2012 +0100 cavsdec: check for changing w/h. Our decoder does not support changing w/h. Fixes CVE-2012-2777 and CVE-2012-2784. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <[email protected]> (cherry picked from commit c20a69630619d14ae92c5541d52c579d7c8f3e94) Signed-off-by: Reinhard Tartler <[email protected]> --- libavcodec/cavsdec.c | 13 +++++++++++-- 1 files changed, 11 insertions(+), 2 deletions(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index b0e517b..1dd237a 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -608,12 +608,21 @@ static int decode_pic(AVSContext *h) { static int decode_seq_header(AVSContext *h) { MpegEncContext *s = &h->s; int frame_rate_code; + int width, height; h->profile = get_bits(&s->gb,8); h->level = get_bits(&s->gb,8); skip_bits1(&s->gb); //progressive sequence - s->width = get_bits(&s->gb,14); - s->height = get_bits(&s->gb,14); + + width = get_bits(&s->gb, 14); + height = get_bits(&s->gb, 14); + if ((s->width || s->height) && (s->width != width || s->height != height)) { + av_log_missing_feature(s, "Width/height changing in CAVS is", 0); + return AVERROR_PATCHWELCOME; + } + s->width = width; + s->height = height; + skip_bits(&s->gb,2); //chroma format skip_bits(&s->gb,3); //sample_precision h->aspect_ratio = get_bits(&s->gb,4); _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
