vp56: release frames on error
authorLuca Barbato <lu_zero@gentoo.org>
Fri, 14 Dec 2012 08:55:04 +0000 (09:55 +0100)
committerReinhard Tartler <siretart@tauware.de>
Sun, 10 Feb 2013 17:01:16 +0000 (18:01 +0100)
Fixes CVE-2012-2783

CC: libav-stable@libav.org
(cherry picked from commit f33b5ba63eee96c9d1c7f0e568169cb0c3694238)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 7fd7950174f9f2935fbf5bf1435fd0dc37be5c61)

Conflicts:

libavcodec/vp56.c

libavcodec/vp56.c

index c09dbeb..2b70d2b 100644 (file)
@@ -516,8 +516,14 @@ int vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
         s->modelp = &s->models[is_alpha];
 
         res = s->parse_header(s, buf, remaining_buf_size, &golden_frame);
-        if (!res)
-            return -1;
+        if (!res) {
+            int i;
+            for (i = 0; i < 4; i++) {
+                if (s->frames[i].data[0])
+                    avctx->release_buffer(avctx, &s->frames[i]);
+            }
+            return res;
+        }
 
         if (!is_alpha) {
             p->reference = 1;