diff options
author | Reimar Döffinger <Reimar.Doeffinger@gmx.de> | 2016-02-25 21:04:36 +0100 |
---|---|---|
committer | Reimar Döffinger <Reimar.Doeffinger@gmx.de> | 2016-02-28 13:32:01 +0100 |
commit | 0f199f0ad01ea4504edcfd947c85cfa69292f881 (patch) | |
tree | 8671ad0cf6335423c03e6461898bb97a1499ed79 /COPYING.GPLv3 | |
parent | 5d18dc37953966422ad1b64a395ce54b9a641081 (diff) | |
download | ffmpeg-0f199f0ad01ea4504edcfd947c85cfa69292f881.tar.gz |
mss2: Fix buffer overflow.
Reported as https://trac.mplayerhq.hu/ticket/2264 but have
not been able to reproduce with FFmpeg-only.
I have no idea what coded_height is used for here exactly,
so this might not be the best fix.
Fixes the following chain of events:
ff_mss12_decode_init sets coded_height while not setting height.
ff_mpv_decode_init then copies coded_height into MpegEncContext height.
This is then used by init_context_frame to allocate the data structures.
However the wmv9rects are validated/initialized based on avctx->height, not
avctx->coded_height.
Thus the decode_wmv9 function will try to decode a larger video that we
allocated data structures for, causing out-of-bounds writes.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Diffstat (limited to 'COPYING.GPLv3')
0 files changed, 0 insertions, 0 deletions