diff options
author | Luca Barbato <lu_zero@gentoo.org> | 2012-12-14 09:55:04 +0100 |
---|---|---|
committer | Reinhard Tartler <siretart@tauware.de> | 2013-01-02 20:28:18 +0100 |
commit | 211badf0689d3972c08790c6776d99a1b12cb935 (patch) | |
tree | c676ef70fbc8a29a23a5464f35dd63e6b1fafdd1 | |
parent | 145317d22073e84fda642905f9518eda04a279b5 (diff) | |
download | ffmpeg-211badf0689d3972c08790c6776d99a1b12cb935.tar.gz |
vp56: release frames on error
Fixes CVE-2012-2783
CC: libav-stable@libav.org
(cherry picked from commit f33b5ba63eee96c9d1c7f0e568169cb0c3694238)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
-rw-r--r-- | libavcodec/vp56.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 0ad468cd0d..7767461843 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -513,8 +513,14 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size, s->modelp = &s->models[is_alpha]; res = s->parse_header(s, buf, remaining_buf_size, &golden_frame); - if (res < 0) + if (res < 0) { + int i; + for (i = 0; i < 4; i++) { + if (s->frames[i].data[0]) + avctx->release_buffer(avctx, &s->frames[i]); + } return res; + } if (res == VP56_SIZE_CHANGE) { int i; |