On Feb 27, 2014 4:31 PM, <[email protected]> wrote: > > From: Michael Niedermayer <[email protected]> > > Currently the code can in some cases draw tiles that hang outside the > allocated buffer. This patch increases the buffer size to avoid out > of array accesses. > > Sample available via https://trac.ffmpeg.org/ticket/2971 > > Adresses: CVE-2013-7022 > CC: [email protected] > Found-by: ami_stuff >
> (cherry picked from commit e07ac727c1cc9eed39e7f9117c97006f719864bd) Drop this if you want. > Signed-off-by: Reinhard Tartler <[email protected]> > --- > libavcodec/g2meet.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c > index d9baff6..0cfa3b0 100644 > --- a/libavcodec/g2meet.c > +++ b/libavcodec/g2meet.c > @@ -450,8 +450,8 @@ static int g2m_init_buffers(G2MContext *c) > int aligned_height; > > if (!c->framebuf || c->old_width < c->width || c->old_height < c->height) { > - c->framebuf_stride = FFALIGN(c->width * 3, 16); > - aligned_height = FFALIGN(c->height, 16); > + c->framebuf_stride = FFALIGN(c->width + 15, 16) * 3; > + aligned_height = c->height + 15; > av_free(c->framebuf); > c->framebuf = av_mallocz(c->framebuf_stride * aligned_height); > if (!c->framebuf) > -- > 1.8.3.2 > > _______________________________________________ > libav-devel mailing list > [email protected] > https://lists.libav.org/mailman/listinfo/libav-devel _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
