On 07.11.2016 22:32, Andreas Cadhalpun wrote:
> This fixes a heap-buffer-overflow in ff_er_frame_end when decoding mss2 with
> coded_width/coded_height larger than width/height.
>
> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
> ---
> libavcodec/mpegpicture.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/libavcodec/mpegpicture.c b/libavcodec/mpegpicture.c
> index 6748fc2..70b4d3c 100644
> --- a/libavcodec/mpegpicture.c
> +++ b/libavcodec/mpegpicture.c
> @@ -108,15 +108,15 @@ static int alloc_frame_buffer(AVCodecContext *avctx,
> Picture *pic,
> avctx->codec_id != AV_CODEC_ID_VC1IMAGE &&
> avctx->codec_id != AV_CODEC_ID_MSS2) {
> if (edges_needed) {
> - pic->f->width = avctx->width + 2 * EDGE_WIDTH;
> - pic->f->height = avctx->height + 2 * EDGE_WIDTH;
> + pic->f->width = avctx->coded_width + 2 * EDGE_WIDTH;
> + pic->f->height = avctx->coded_height + 2 * EDGE_WIDTH;
> }
>
> r = ff_thread_get_buffer(avctx, &pic->tf,
> pic->reference ? AV_GET_BUFFER_FLAG_REF :
> 0);
> } else {
> - pic->f->width = avctx->width;
> - pic->f->height = avctx->height;
> + pic->f->width = avctx->coded_width;
> + pic->f->height = avctx->coded_height;
> pic->f->format = avctx->pix_fmt;
> r = avcodec_default_get_buffer2(avctx, pic->f, 0);
> }
> @@ -135,8 +135,8 @@ static int alloc_frame_buffer(AVCodecContext *avctx,
> Picture *pic,
> (EDGE_WIDTH >> (i ? chroma_x_shift : 0));
> pic->f->data[i] += offset;
> }
> - pic->f->width = avctx->width;
> - pic->f->height = avctx->height;
> + pic->f->width = avctx->coded_width;
> + pic->f->height = avctx->coded_height;
> }
>
> if (avctx->hwaccel) {
>
Ping. It would be good to have this fixed in 3.2.1.
Best regards,
Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
