Update dimensions in AVCodecContext when RV3/4 frame dimensions change
authorKostya Shishkov <kostya.shishkov@gmail.com>
Sun, 22 Nov 2009 07:48:35 +0000 (07:48 +0000)
committerReinhard Tartler <siretart@tauware.de>
Fri, 4 Feb 2011 05:42:29 +0000 (06:42 +0100)
Originally committed as revision 20572 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit ec10d2d53999f6edf7d7b5ac88df263eccfb1fb0)

Fixes heap corruption crashes

Addresses: CVE-2011-0722
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
libavcodec/rv34.c

index c227707..9fe3919 100644 (file)
@@ -1247,8 +1247,8 @@ static int rv34_decode_slice(RV34DecContext *r, int end, const uint8_t* buf, int
         if(s->width != r->si.width || s->height != r->si.height){
             av_log(s->avctx, AV_LOG_DEBUG, "Changing dimensions to %dx%d\n", r->si.width,r->si.height);
             MPV_common_end(s);
-            s->width  = r->si.width;
-            s->height = r->si.height;
+            s->width  = s->avctx->width  = r->si.width;
+            s->height = s->avctx->height = r->si.height;
             if(MPV_common_init(s) < 0)
                 return -1;
             r->intra_types_hist = av_realloc(r->intra_types_hist, s->b4_stride * 4 * 2 * sizeof(*r->intra_types_hist));