h263dec: Disallow width/height changing with frame threads.

Fixes CVE-2011-3937 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 71db86d53b5c6872cea31bf714a1a38ec78feaba) Conflicts: libavcodec/h263dec.c Signed-off-by: Reinhard Tartler <siretart@tauware.de>
author: Michael Niedermayer <michaelni@gmx.at> 2012-02-17 13:35:10 -0800
committer: Reinhard Tartler <siretart@tauware.de> 2012-05-22 21:51:58 +0200
commit: 58361100188a1f80bcd9b6c58a4ce588032da1ad (patch)
tree: 31ab4d94fd2effa6b39a9def76cbb85e753df767
parent: 43e5fda45cf540a052d6f78248a3bf99f87095a8 (diff)
download: ffmpeg-58361100188a1f80bcd9b6c58a4ce588032da1ad.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c
index 7f0934a124..1ddca1944d 100644
--- a/libavcodec/h263dec.c
+++ b/libavcodec/h263dec.c
@@ -578,6 +578,11 @@ retry:
         /* H.263 could change picture size any time */
         ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat
 
+        if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) {
+            av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0);
+            return -1;   // width / height changed during parallelized decoding
+        }
+
         s->parse_context.buffer=0;
         MPV_common_end(s);
         s->parse_context= pc;
author	Michael Niedermayer <michaelni@gmx.at>	2012-02-17 13:35:10 -0800
committer	Reinhard Tartler <siretart@tauware.de>	2012-05-22 21:51:58 +0200
commit	58361100188a1f80bcd9b6c58a4ce588032da1ad (patch)
tree	31ab4d94fd2effa6b39a9def76cbb85e753df767
parent	43e5fda45cf540a052d6f78248a3bf99f87095a8 (diff)
download	ffmpeg-58361100188a1f80bcd9b6c58a4ce588032da1ad.tar.gz