From: Michael Niedermayer <[email protected]> Currently the code can in some cases draw tiles that hang outside the allocated buffer. This patch increases the buffer size to avoid out of array accesses.
Sample available via https://trac.ffmpeg.org/ticket/2971 Adresses: CVE-2013-7022 CC: [email protected] Found-by: ami_stuff (cherry picked from commit e07ac727c1cc9eed39e7f9117c97006f719864bd) Signed-off-by: Reinhard Tartler <[email protected]> --- libavcodec/g2meet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index d9baff6..0cfa3b0 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -450,8 +450,8 @@ static int g2m_init_buffers(G2MContext *c) int aligned_height; if (!c->framebuf || c->old_width < c->width || c->old_height < c->height) { - c->framebuf_stride = FFALIGN(c->width * 3, 16); - aligned_height = FFALIGN(c->height, 16); + c->framebuf_stride = FFALIGN(c->width + 15, 16) * 3; + aligned_height = c->height + 15; av_free(c->framebuf); c->framebuf = av_mallocz(c->framebuf_stride * aligned_height); if (!c->framebuf) -- 1.8.3.2 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
