On 03/08/14 21:31, Justin Ruggles wrote: > On 08/03/2014 11:32 AM, Diego Biurrun wrote: >> From: Michael Niedermayer <[email protected]> >> >> Bug-Id: CVE-2011-3935 >> >> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind >> Signed-off-by: Michael Niedermayer <[email protected]> >> Signed-off-by: Diego Biurrun <[email protected]> >> --- >> >> Applies to the 9 branch; again, no sample. >> >> cmdutils.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/cmdutils.c b/cmdutils.c >> index b65326b..f072572 100644 >> --- a/cmdutils.c >> +++ b/cmdutils.c >> @@ -1598,6 +1598,9 @@ int codec_get_buffer(AVCodecContext *s, AVFrame >> *frame) >> FrameBuffer *buf; >> int ret, i; >> + if (av_image_check_size(s->width, s->height, 0, s)) >> + return AVERROR_INVALIDDATA; >> + >> if (!*pool && (ret = alloc_buffer(pool, s, pool)) < 0) >> return ret; >> > > This seems like the lazy way out of making sure decoders validate width > and height if they change them after init, but I suppose it doesn't hurt > anything.
Actually it is a good way to hide the bug and wait for vlc and friends to have or not have the problem depending on their get_buffer callback implementation. lu _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
