On 03/08/14 17:32, Diego Biurrun wrote:
> From: Michael Niedermayer <[email protected]>
> 
> Bug-Id: CVE-2011-3935
> 
> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> Signed-off-by: Michael Niedermayer <[email protected]>
> Signed-off-by: Diego Biurrun <[email protected]>
> ---
> 
> Applies to the 9 branch; again, no sample.
> 
>  cmdutils.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/cmdutils.c b/cmdutils.c
> index b65326b..f072572 100644
> --- a/cmdutils.c
> +++ b/cmdutils.c
> @@ -1598,6 +1598,9 @@ int codec_get_buffer(AVCodecContext *s, AVFrame *frame)
>      FrameBuffer *buf;
>      int ret, i;
>  
> +    if (av_image_check_size(s->width, s->height, 0, s))
> +        return AVERROR_INVALIDDATA;
> +
>      if (!*pool && (ret = alloc_buffer(pool, s, pool)) < 0)
>          return ret;
>  
> 

Wrong, something along those lines should be safer.


diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 19c8a99..5d32b6e 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -465,6 +465,8 @@ int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame)
 {
     switch (avctx->codec_type) {
     case AVMEDIA_TYPE_VIDEO:
+        if (av_image_check_size(avctx->width, avctx->height, 0, avctx))
+             return AVERROR_INVALIDDATA;
         frame->width               = avctx->width;
         frame->height              = avctx->height;
         frame->format              = avctx->pix_fmt;

_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to