[FFmpeg-devel] [PATCH] mpegpicture: use coded_width/coded_height to allocate frame

[Andreas Cadhalpun]

This fixes a heap-buffer-overflow in ff_er_frame_end when decoding mss2 with
coded_width/coded_height larger than width/height.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
---
 libavcodec/mpegpicture.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/libavcodec/mpegpicture.c b/libavcodec/mpegpicture.c
index 6748fc2..70b4d3c 100644
--- a/libavcodec/mpegpicture.c
+++ b/libavcodec/mpegpicture.c
@@ -108,15 +108,15 @@ static int alloc_frame_buffer(AVCodecContext *avctx,  Picture *pic,
         avctx->codec_id != AV_CODEC_ID_VC1IMAGE  &&
         avctx->codec_id != AV_CODEC_ID_MSS2) {
         if (edges_needed) {
-            pic->f->width  = avctx->width  + 2 * EDGE_WIDTH;
-            pic->f->height = avctx->height + 2 * EDGE_WIDTH;
+            pic->f->width  = avctx->coded_width  + 2 * EDGE_WIDTH;
+            pic->f->height = avctx->coded_height + 2 * EDGE_WIDTH;
         }
 
         r = ff_thread_get_buffer(avctx, &pic->tf,
                                  pic->reference ? AV_GET_BUFFER_FLAG_REF : 0);
     } else {
-        pic->f->width  = avctx->width;
-        pic->f->height = avctx->height;
+        pic->f->width  = avctx->coded_width;
+        pic->f->height = avctx->coded_height;
         pic->f->format = avctx->pix_fmt;
         r = avcodec_default_get_buffer2(avctx, pic->f, 0);
     }
@@ -135,8 +135,8 @@ static int alloc_frame_buffer(AVCodecContext *avctx,  Picture *pic,
                          (EDGE_WIDTH >> (i ? chroma_x_shift : 0));
             pic->f->data[i] += offset;
         }
-        pic->f->width  = avctx->width;
-        pic->f->height = avctx->height;
+        pic->f->width  = avctx->coded_width;
+        pic->f->height = avctx->coded_height;
     }
 
     if (avctx->hwaccel) {
-- 
2.10.2