avcodec: Introduce ff_get_buffer

Validate the image size there as is done in the other release
branches.

Bug-Id: CVE-2011-3935
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

1 files changed, 16 insertions, 3 deletions

diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 7902e987ca..e657a2cece 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -552,7 +552,7 @@ int avcodec_default_reget_buffer(AVCodecContext *s, AVFrame *pic){
     if(pic->data[0] == NULL) {
         /* We will copy from buffer, so must be readable */
         pic->buffer_hints |= FF_BUFFER_HINTS_READABLE;
-        return s->get_buffer(s, pic);
+        return ff_get_buffer(s, pic);
     }
 
     /* If internal buffer type return the same buffer */
@@ -571,7 +571,7 @@ int avcodec_default_reget_buffer(AVCodecContext *s, AVFrame *pic){
         pic->data[i] = pic->base[i] = NULL;
     pic->opaque = NULL;
     /* Allocate new frame */
-    if (s->get_buffer(s, pic))
+    if (ff_get_buffer(s, pic))
         return -1;
     /* Copy image data from old buffer to new buffer */
     av_picture_copy((AVPicture*)pic, (AVPicture*)&temp_pic, s->pix_fmt, s->width,
@@ -1815,7 +1815,7 @@ unsigned int avpriv_toupper4(unsigned int x)
 int ff_thread_get_buffer(AVCodecContext *avctx, AVFrame *f)
 {
     f->owner = avctx;
-    return avctx->get_buffer(avctx, f);
+    return ff_get_buffer(avctx, f);
 }
 
 void ff_thread_release_buffer(AVCodecContext *avctx, AVFrame *f)
@@ -1863,3 +1863,16 @@ int avcodec_is_open(AVCodecContext *s)
 {
     return !!s->internal;
 }
+
+int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame)
+{
+    switch (avctx->codec_type) {
+        case AVMEDIA_TYPE_VIDEO:
+            if (av_image_check_size(avctx->width, avctx->height, 0, avctx)) {
+                av_log(avctx, AV_LOG_ERROR, "Invalid dimensions %dx%d\n",
+                       avctx->width, avctx->height);
+                return AVERROR_INVALIDDATA;
+            }
+    }
+    return avctx->get_buffer(avctx, frame);
+}