diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-01-25 21:10:29 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2012-01-25 21:12:00 +0100 |
| commit | 247d30a7dba6684ccce4508424f35fd58465e535 (patch) | |
| tree | 31c24c3cc87e8f6ec0d13f7e44ddcc5a93075955 /libavcodec | |
| parent | 6071644287d2a7471d906b688cb7253a5ceaaa8a (diff) | |
| download | ffmpeg-247d30a7dba6684ccce4508424f35fd58465e535.tar.gz | |
vp3: Copy all 3 frames for thread updates.
This fixes a double release of the current frame on deinit.
Fixes CVE-2011-3934
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/vp3.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 738ae9fd25..b5daafcefb 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1859,7 +1859,7 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext * ||s->width != s1->width ||s->height!= s1->height) { if (s != s1) - copy_fields(s, s1, golden_frame, current_frame); + copy_fields(s, s1, golden_frame, keyframe); return -1; } |