har0ke/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

h263dec: Disallow width/height changing with frame threads.

Browse Source 
Fixes CVE-2011-3937

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2012-02-17 13:35:10 -08:00 committed by Alex Converse
parent 2f6528537f
commit 71db86d53b
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
libavcodec/h263dec.c
View File

@ -556,8 +556,7 @@ retry:
#if HAVE_MMX
if (s->codec_id == CODEC_ID_MPEG4 && s->xvid_build>=0 && avctx->idct_algo == FF_IDCT_AUTO && (av_get_cpu_flags() & AV_CPU_FLAG_MMX)) {
avctx->idct_algo= FF_IDCT_XVIDMMX;
avctx->coded_width= 0; // force reinit
// ff_dsputil_init(&s->dsp, avctx);
ff_dct_common_init(s);
s->picture_number=0;
}
#endif
@ -571,6 +570,12 @@ retry:
|| s->height != avctx->coded_height) {
/* H.263 could change picture size any time */
ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat
if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) {
av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0);
return -1; // width / height changed during parallelized decoding
}
s->parse_context.buffer=0;
ff_MPV_common_end(s);
s->parse_context= pc;