On Fri, 14 Dec 2012 09:59:15 +0100, Luca Barbato <lu_z...@gentoo.org> wrote:
> Fixes CVE-2012-2783
>
> CC: libav-sta...@libav.org
> ---
> libavcodec/vp56.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c
> index 6779ffb..5bd0a1a 100644
> --- a/libavcodec/vp56.c
> +++ b/libavcodec/vp56.c
> @@ -514,8 +514,14 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void
> *data, int *got_frame,
> s->modelp = &s->models[is_alpha];
>
> res = s->parse_header(s, buf, remaining_buf_size, &golden_frame);
> - if (res < 0)
> + if (res < 0) {
> + int i;
> + for (i = 0; i < 4; i++) {
> + if (s->frames[i].data[0])
> + avctx->release_buffer(avctx, &s->frames[i]);
> + }
> return res;
> + }
>
> if (res == VP56_SIZE_CHANGE) {
> int i;
> --
> 1.7.12
>
Both patches look fine. Assuming FATE passes and the relevant sample no
longer double frees.
--
Anton Khirnov
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
