avcodec/rawdec: Check the return code of avpicture_get_size()
authorMichael Niedermayer <michaelni@gmx.at>
Wed, 26 Nov 2014 17:56:39 +0000 (18:56 +0100)
committerMichael Niedermayer <michaelni@gmx.at>
Sun, 30 Nov 2014 20:40:36 +0000 (21:40 +0100)
Fixes out of array access
Fixes: asan_heap-oob_22388d0_3435_cov_3297128910_small_roll5_FlashCine1.cine
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1d3a3b9f8907625b361420d48fe05716859620ff)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/rawdec.c

index 28792a1..647dfa9 100644 (file)
@@ -172,6 +172,9 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame,
         context->frame_size = avpicture_get_size(avctx->pix_fmt, avctx->width,
                                                  avctx->height);
     }
+    if (context->frame_size < 0)
+        return context->frame_size;
+
     need_copy = !avpkt->buf || context->is_2_4_bpp || context->is_yuv2 || context->is_lt_16bpp;
 
     frame->pict_type        = AV_PICTURE_TYPE_I;