lavc: Check the image size before calling get_buffer

Bug-Id: CVE-2011-3935 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
author: Luca Barbato <lu_zero@gentoo.org> 2014-08-04 14:15:45 +0200
committer: Luca Barbato <lu_zero@gentoo.org> 2014-08-04 14:15:45 +0200
commit: 146b187113e3cc20c2a97c5f264da13e701ca247 (patch)
tree: 787c4efc1c2f6a1725252dcb0e5ab49267ef8c4a
parent: 43d676432740c6d5e5234ed343f13902909fd124 (diff)
download: ffmpeg-146b187113e3cc20c2a97c5f264da13e701ca247.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 19c8a99ff5..42be6450af 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -465,6 +465,8 @@ int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame)
 {
     switch (avctx->codec_type) {
     case AVMEDIA_TYPE_VIDEO:
+        if (av_image_check_size(avctx->width, avctx->height, 0, avctx))
+             return AVERROR_INVALIDDATA;
         frame->width               = avctx->width;
         frame->height              = avctx->height;
         frame->format              = avctx->pix_fmt;
author	Luca Barbato <lu_zero@gentoo.org>	2014-08-04 14:15:45 +0200
committer	Luca Barbato <lu_zero@gentoo.org>	2014-08-04 14:15:45 +0200
commit	146b187113e3cc20c2a97c5f264da13e701ca247 (patch)
tree	787c4efc1c2f6a1725252dcb0e5ab49267ef8c4a
parent	43d676432740c6d5e5234ed343f13902909fd124 (diff)
download	ffmpeg-146b187113e3cc20c2a97c5f264da13e701ca247.tar.gz