vp56: release frames on error

Fixes CVE-2012-2783 CC: libav-stable@libav.org (cherry picked from commit f33b5ba63eee96c9d1c7f0e568169cb0c3694238) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 7fd7950174f9f2935fbf5bf1435fd0dc37be5c61) Conflicts: libavcodec/vp56.c
author: Luca Barbato <lu_zero@gentoo.org> 2012-12-14 09:55:04 +0100
committer: Reinhard Tartler <siretart@tauware.de> 2013-02-10 18:01:16 +0100
commit: 4f8f4458a5a837bf58ae3b3662b0ec4278682612 (patch)
tree: 4848c9a162300301ce5c2994b6e9b3dc2a0f9924
parent: 9def5c466648d970f8d3e03d4b3947a6852d9c61 (diff)
download: ffmpeg-4f8f4458a5a837bf58ae3b3662b0ec4278682612.tar.gz
1 files changed, 8 insertions, 2 deletions
diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c
index c09dbeb2f8..2b70d2b2f8 100644
--- a/libavcodec/vp56.c
+++ b/libavcodec/vp56.c
@@ -516,8 +516,14 @@ int vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
         s->modelp = &s->models[is_alpha];
 
         res = s->parse_header(s, buf, remaining_buf_size, &golden_frame);
-        if (!res)
-            return -1;
+        if (!res) {
+            int i;
+            for (i = 0; i < 4; i++) {
+                if (s->frames[i].data[0])
+                    avctx->release_buffer(avctx, &s->frames[i]);
+            }
+            return res;
+        }
 
         if (!is_alpha) {
             p->reference = 1;
author	Luca Barbato <lu_zero@gentoo.org>	2012-12-14 09:55:04 +0100
committer	Reinhard Tartler <siretart@tauware.de>	2013-02-10 18:01:16 +0100
commit	4f8f4458a5a837bf58ae3b3662b0ec4278682612 (patch)
tree	4848c9a162300301ce5c2994b6e9b3dc2a0f9924
parent	9def5c466648d970f8d3e03d4b3947a6852d9c61 (diff)
download	ffmpeg-4f8f4458a5a837bf58ae3b3662b0ec4278682612.tar.gz