Module: libav Branch: release/0.7 Commit: 3313f31f012a434a7c7aac6cb2c554d5cbac88fc
Author: Michael Niedermayer <michae...@gmx.at> Committer: Reinhard Tartler <siret...@tauware.de> Date: Fri Feb 17 13:35:10 2012 -0800 h263dec: Disallow width/height changing with frame threads. Fixes CVE-2011-3937 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michae...@gmx.at> (cherry picked from commit 71db86d53b5c6872cea31bf714a1a38ec78feaba) Conflicts: libavcodec/h263dec.c Signed-off-by: Alex Converse <alex.conve...@gmail.com> Signed-off-by: Reinhard Tartler <siret...@tauware.de> (cherry picked from commit 4be63587e110c05cda3101abf2e3745d919f3fae) Conflicts: libavcodec/h263dec.c Signed-off-by: Reinhard Tartler <siret...@tauware.de> --- libavcodec/h263dec.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 021e172..15fc724 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -574,6 +574,11 @@ retry: /* H.263 could change picture size any time */ ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat + if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) { + av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0); + return -1; // width / height changed during parallelized decoding + } + s->parse_context.buffer=0; MPV_common_end(s); s->parse_context= pc; _______________________________________________ libav-commits mailing list libav-commits@libav.org https://lists.libav.org/mailman/listinfo/libav-commits