[FFmpeg-cvslog] lavc: Check the image size before calling get_buffer

Luca Barbato git at videolan.org
Fri Aug 8 15:02:38 CEST 2014


ffmpeg | branch: release/1.1 | Luca Barbato <lu_zero at gentoo.org> | Mon Aug  4 14:15:45 2014 +0200| [146b187113e3cc20c2a97c5f264da13e701ca247] | committer: Luca Barbato

lavc: Check the image size before calling get_buffer

Bug-Id: CVE-2011-3935
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=146b187113e3cc20c2a97c5f264da13e701ca247
---

 libavcodec/utils.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 19c8a99..42be645 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -465,6 +465,8 @@ int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame)
 {
     switch (avctx->codec_type) {
     case AVMEDIA_TYPE_VIDEO:
+        if (av_image_check_size(avctx->width, avctx->height, 0, avctx))
+             return AVERROR_INVALIDDATA;
         frame->width               = avctx->width;
         frame->height              = avctx->height;
         frame->format              = avctx->pix_fmt;



More information about the ffmpeg-cvslog mailing list