diff options
author | Reimar Döffinger <Reimar.Doeffinger@gmx.de> | 2009-07-06 16:48:23 +0000 |
---|---|---|
committer | Reimar Döffinger <Reimar.Doeffinger@gmx.de> | 2009-07-06 16:48:23 +0000 |
commit | 16c831851384ab59e73579fdd9913fbff3c0284a (patch) | |
tree | fe42b31ef2f963a5dff45ef760ebab9768e525e7 | |
parent | 28bcc76ab75caee6a7f5a2bd6b8b401b359a394b (diff) | |
download | ffmpeg-16c831851384ab59e73579fdd9913fbff3c0284a.tar.gz |
Reallocate internal buffer when coded frame size changes.
Fixes out-of-bounds reads and writes with i32/smclocki32.avi.1.0 from issue 1240.
Originally committed as revision 19359 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r-- | libavcodec/indeo3.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 7e4cd96842..9c14e81a55 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -107,6 +107,7 @@ static av_cold int iv_alloc_frames(Indeo3DecodeContext *s) unsigned int bufsize = luma_pixels * 2 + luma_width * 3 + (chroma_pixels + chroma_width) * 4; + av_freep(&s->buf); if(!(s->buf = av_malloc(bufsize))) return AVERROR(ENOMEM); s->iv_frame[0].y_w = s->iv_frame[1].y_w = luma_width; @@ -997,6 +998,17 @@ static int iv_decode_frame(AVCodecContext *avctx, if(avcodec_check_dimensions(avctx, image_width, image_height)) return -1; + if (image_width != avctx->width || image_height != avctx->height) { + int ret; + avcodec_set_dimensions(avctx, image_width, image_height); + s->width = avctx->width; + s->height = avctx->height; + ret = iv_alloc_frames(s); + if (ret < 0) { + s->width = s->height = 0; + return ret; + } + } chroma_height = ((image_height >> 2) + 3) & 0x7ffc; chroma_width = ((image_width >> 2) + 3) & 0x7ffc; |