avcodec/utils: Clear dimensions in ff_get_buffer() on failure
authorMichael Niedermayer <michael@niedermayer.cc>
Sat, 28 Nov 2015 19:08:46 +0000 (20:08 +0100)
committerMichael Niedermayer <michael@niedermayer.cc>
Sun, 6 Dec 2015 01:51:27 +0000 (02:51 +0100)
Fixes out of array access
Fixes: 482d8f2fd17c9f532b586458a33f267c/asan_heap-oob_4a52b6_7417_1d08d477736d66cdadd833d146bb8bae.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit abee0a1c60612e8638640a8a3738fffb65e16dbf)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/utils.c

index 2037667..892ddb9 100644 (file)
@@ -1040,8 +1040,10 @@ end:
 int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame, int flags)
 {
     int ret = get_buffer_internal(avctx, frame, flags);
-    if (ret < 0)
+    if (ret < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
+        frame->width = frame->height = 0;
+    }
     return ret;
 }