indeo3: initialise pixel planes on allocation

This prevents decoder from reading garbage from it in case of errors later. (cherry picked from commit 81064a8045028838fd32d18490034c207c8ecc06) Fixes an invalid read on sample from CVE-2012-2804 Signed-off-by: Anton Khirnov <anton@khirnov.net>
author: Kostya Shishkov <kostya.shishkov@gmail.com> 2012-05-14 19:33:03 +0200
committer: Anton Khirnov <anton@khirnov.net> 2013-01-20 20:36:57 +0100
commit: a94f789c334ce35d7243f76b6bc982ba38289ec8 (patch)
tree: b74c7fe6eddc0a6d58f0f6b7bd06390756ab829d
parent: cf2cab5b2ab80fa2914692e02fa3488aaab7697e (diff)
download: ffmpeg-a94f789c334ce35d7243f76b6bc982ba38289ec8.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index 48e5810e69..2aa8d955ac 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -194,6 +194,8 @@ static av_cold int allocate_frame_buffers(Indeo3DecodeContext *ctx,
         /* set buffer pointers = buf_ptr + pitch and thus skip the INTRA prediction line */
         ctx->planes[p].pixels[0] = ctx->planes[p].buffers[0] + ctx->planes[p].pitch;
         ctx->planes[p].pixels[1] = ctx->planes[p].buffers[1] + ctx->planes[p].pitch;
+        memset(ctx->planes[p].pixels[0], 0, ctx->planes[p].pitch * ctx->planes[p].height);
+        memset(ctx->planes[p].pixels[1], 0, ctx->planes[p].pitch * ctx->planes[p].height);
     }
 
     return 0;
author	Kostya Shishkov <kostya.shishkov@gmail.com>	2012-05-14 19:33:03 +0200
committer	Anton Khirnov <anton@khirnov.net>	2013-01-20 20:36:57 +0100
commit	a94f789c334ce35d7243f76b6bc982ba38289ec8 (patch)
tree	b74c7fe6eddc0a6d58f0f6b7bd06390756ab829d
parent	cf2cab5b2ab80fa2914692e02fa3488aaab7697e (diff)
download	ffmpeg-a94f789c334ce35d7243f76b6bc982ba38289ec8.tar.gz