aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2014-11-26 18:56:39 +0100
committerMichael Niedermayer <michaelni@gmx.at>2014-11-26 19:01:17 +0100
commit1d3a3b9f8907625b361420d48fe05716859620ff (patch)
tree9eb86f312fb38b09b468eddf4c4cdb777d6642e9
parent1b5d11240692025f036e945bc37968735679320a (diff)
downloadffmpeg-1d3a3b9f8907625b361420d48fe05716859620ff.tar.gz
avcodec/rawdec: Check the return code of avpicture_get_size()
Fixes out of array access Fixes: asan_heap-oob_22388d0_3435_cov_3297128910_small_roll5_FlashCine1.cine Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavcodec/rawdec.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c
index 28792a1688..647dfa9a0a 100644
--- a/libavcodec/rawdec.c
+++ b/libavcodec/rawdec.c
@@ -172,6 +172,9 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame,
context->frame_size = avpicture_get_size(avctx->pix_fmt, avctx->width,
avctx->height);
}
+ if (context->frame_size < 0)
+ return context->frame_size;
+
need_copy = !avpkt->buf || context->is_2_4_bpp || context->is_yuv2 || context->is_lt_16bpp;
frame->pict_type = AV_PICTURE_TYPE_I;