[FFmpeg-cvslog] vp56: release frames on error

Luca Barbato git at videolan.org
Thu Jan 17 03:09:31 CET 2013


ffmpeg | branch: release/0.8 | Luca Barbato <lu_zero at gentoo.org> | Fri Dec 14 09:55:04 2012 +0100| [7fd7950174f9f2935fbf5bf1435fd0dc37be5c61] | committer: Reinhard Tartler

vp56: release frames on error

Fixes CVE-2012-2783

CC: libav-stable at libav.org

(cherry picked from commit f33b5ba63eee96c9d1c7f0e568169cb0c3694238)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7fd7950174f9f2935fbf5bf1435fd0dc37be5c61
---

 libavcodec/vp56.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c
index 96f40a1..b06ea7a 100644
--- a/libavcodec/vp56.c
+++ b/libavcodec/vp56.c
@@ -511,8 +511,14 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
         s->modelp = &s->models[is_alpha];
 
         res = s->parse_header(s, buf, remaining_buf_size, &golden_frame);
-        if (res < 0)
+        if (res < 0) {
+            int i;
+            for (i = 0; i < 4; i++) {
+                if (s->frames[i].data[0])
+                    avctx->release_buffer(avctx, &s->frames[i]);
+            }
             return res;
+        }
 
         if (res == VP56_SIZE_CHANGE) {
             int i;



More information about the ffmpeg-cvslog mailing list