lavc: Check the image size before calling get_buffer
authorLuca Barbato <lu_zero@gentoo.org>
Mon, 4 Aug 2014 12:15:45 +0000 (14:15 +0200)
committerLuca Barbato <lu_zero@gentoo.org>
Mon, 4 Aug 2014 12:15:45 +0000 (14:15 +0200)
Bug-Id: CVE-2011-3935
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
libavcodec/utils.c

index 19c8a99..42be645 100644 (file)
@@ -465,6 +465,8 @@ int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame)
 {
     switch (avctx->codec_type) {
     case AVMEDIA_TYPE_VIDEO:
+        if (av_image_check_size(avctx->width, avctx->height, 0, avctx))
+             return AVERROR_INVALIDDATA;
         frame->width               = avctx->width;
         frame->height              = avctx->height;
         frame->format              = avctx->pix_fmt;