aboutsummaryrefslogtreecommitdiffstats
path: root/COPYING.GPLv3
diff options
context:
space:
mode:
authorReimar Döffinger <Reimar.Doeffinger@gmx.de>2016-02-25 21:04:36 +0100
committerReimar Döffinger <Reimar.Doeffinger@gmx.de>2016-02-28 13:32:01 +0100
commit0f199f0ad01ea4504edcfd947c85cfa69292f881 (patch)
tree8671ad0cf6335423c03e6461898bb97a1499ed79 /COPYING.GPLv3
parent5d18dc37953966422ad1b64a395ce54b9a641081 (diff)
downloadffmpeg-0f199f0ad01ea4504edcfd947c85cfa69292f881.tar.gz
mss2: Fix buffer overflow.
Reported as https://trac.mplayerhq.hu/ticket/2264 but have not been able to reproduce with FFmpeg-only. I have no idea what coded_height is used for here exactly, so this might not be the best fix. Fixes the following chain of events: ff_mss12_decode_init sets coded_height while not setting height. ff_mpv_decode_init then copies coded_height into MpegEncContext height. This is then used by init_context_frame to allocate the data structures. However the wmv9rects are validated/initialized based on avctx->height, not avctx->coded_height. Thus the decode_wmv9 function will try to decode a larger video that we allocated data structures for, causing out-of-bounds writes. Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Diffstat (limited to 'COPYING.GPLv3')
0 files changed, 0 insertions, 0 deletions