[libav-devel] [PATCH 2/2] vp56: release frames on error

Luca Barbato Fri, 14 Dec 2012 00:59:36 -0800

Fixes CVE-2012-2783

CC: libav-sta...@libav.org
---
 libavcodec/vp56.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)


diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c
index 6779ffb..5bd0a1a 100644
--- a/libavcodec/vp56.c
+++ b/libavcodec/vp56.c
@@ -514,8 +514,14 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void 
*data, int *got_frame,
         s->modelp = &s->models[is_alpha];
 
         res = s->parse_header(s, buf, remaining_buf_size, &golden_frame);
-        if (res < 0)
+        if (res < 0) {
+            int i;
+            for (i = 0; i < 4; i++) {
+                if (s->frames[i].data[0])
+                    avctx->release_buffer(avctx, &s->frames[i]);
+            }
             return res;
+        }
 
         if (res == VP56_SIZE_CHANGE) {
             int i;
-- 
1.7.12

_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel

[libav-devel] [PATCH 2/2] vp56: release frames on error

Reply via email to