aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLuca Barbato <lu_zero@gentoo.org>2012-12-14 09:55:04 +0100
committerReinhard Tartler <siretart@tauware.de>2013-01-02 20:28:18 +0100
commit211badf0689d3972c08790c6776d99a1b12cb935 (patch)
treec676ef70fbc8a29a23a5464f35dd63e6b1fafdd1
parent145317d22073e84fda642905f9518eda04a279b5 (diff)
downloadffmpeg-211badf0689d3972c08790c6776d99a1b12cb935.tar.gz
vp56: release frames on error
Fixes CVE-2012-2783 CC: libav-stable@libav.org (cherry picked from commit f33b5ba63eee96c9d1c7f0e568169cb0c3694238) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
-rw-r--r--libavcodec/vp56.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c
index 0ad468cd0d..7767461843 100644
--- a/libavcodec/vp56.c
+++ b/libavcodec/vp56.c
@@ -513,8 +513,14 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
s->modelp = &s->models[is_alpha];
res = s->parse_header(s, buf, remaining_buf_size, &golden_frame);
- if (res < 0)
+ if (res < 0) {
+ int i;
+ for (i = 0; i < 4; i++) {
+ if (s->frames[i].data[0])
+ avctx->release_buffer(avctx, &s->frames[i]);
+ }
return res;
+ }
if (res == VP56_SIZE_CHANGE) {
int i;