vp56: release frames on error

Fixes CVE-2012-2783 CC: libav-stable@libav.org (cherry picked from commit f33b5ba63eee96c9d1c7f0e568169cb0c3694238) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
author: Luca Barbato <lu_zero@gentoo.org> 2012-12-14 09:55:04 +0100
committer: Reinhard Tartler <siretart@tauware.de> 2013-01-12 19:20:27 +0100
commit: 7fd7950174f9f2935fbf5bf1435fd0dc37be5c61 (patch)
tree: e6259e644ff6fb102c119b2b40fd70def807ac15
parent: 700fb8c8dd0622fcadb1a35eb2363e1e4c94e663 (diff)
download: ffmpeg-7fd7950174f9f2935fbf5bf1435fd0dc37be5c61.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c
index 96f40a1bd0..b06ea7a5b2 100644
--- a/libavcodec/vp56.c
+++ b/libavcodec/vp56.c
@@ -511,8 +511,14 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
         s->modelp = &s->models[is_alpha];
 
         res = s->parse_header(s, buf, remaining_buf_size, &golden_frame);
-        if (res < 0)
+        if (res < 0) {
+            int i;
+            for (i = 0; i < 4; i++) {
+                if (s->frames[i].data[0])
+                    avctx->release_buffer(avctx, &s->frames[i]);
+            }
             return res;
+        }
 
         if (res == VP56_SIZE_CHANGE) {
             int i;
author	Luca Barbato <lu_zero@gentoo.org>	2012-12-14 09:55:04 +0100
committer	Reinhard Tartler <siretart@tauware.de>	2013-01-12 19:20:27 +0100
commit	7fd7950174f9f2935fbf5bf1435fd0dc37be5c61 (patch)
tree	e6259e644ff6fb102c119b2b40fd70def807ac15
parent	700fb8c8dd0622fcadb1a35eb2363e1e4c94e663 (diff)
download	ffmpeg-7fd7950174f9f2935fbf5bf1435fd0dc37be5c61.tar.gz