h263dec: Disallow width/height changing with frame threads.
authorMichael Niedermayer <michaelni@gmx.at>
Fri, 17 Feb 2012 21:35:10 +0000 (13:35 -0800)
committerReinhard Tartler <siretart@tauware.de>
Tue, 22 May 2012 19:51:58 +0000 (21:51 +0200)
Fixes CVE-2011-3937

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 71db86d53b5c6872cea31bf714a1a38ec78feaba)

Conflicts:

libavcodec/h263dec.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
libavcodec/h263dec.c

index 7f0934a..1ddca19 100644 (file)
@@ -578,6 +578,11 @@ retry:
         /* H.263 could change picture size any time */
         ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat
 
+        if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) {
+            av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0);
+            return -1;   // width / height changed during parallelized decoding
+        }
+
         s->parse_context.buffer=0;
         MPV_common_end(s);
         s->parse_context= pc;