diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2007-08-10 19:28:28 +0000 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2007-08-10 19:28:28 +0000 |
commit | 0701006e34edb27aae438148613cc779a342a099 (patch) | |
tree | c0345624d9423eaad21e41e338fbd6ee3c39afb8 /libavcodec | |
parent | 6aacfd22ab4cd1be1223c1eb3ae51f09622ae26e (diff) | |
download | ffmpeg-0701006e34edb27aae438148613cc779a342a099.tar.gz |
ensure that default_get_buffer() doesnt reuse images if the dimension or
pix_fmt changed
fixes heap overflow, possibly exploitable
Originally committed as revision 10064 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/utils.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/libavcodec/utils.c b/libavcodec/utils.c index fd757fdfcb..5f10ffbe86 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -147,6 +147,8 @@ typedef struct InternalBuffer{ uint8_t *base[4]; uint8_t *data[4]; int linesize[4]; + int width, height; + enum PixelFormat pix_fmt; }InternalBuffer; #define INTERNAL_BUFFER_SIZE 32 @@ -251,6 +253,13 @@ int avcodec_default_get_buffer(AVCodecContext *s, AVFrame *pic){ picture_number= &(((InternalBuffer*)s->internal_buffer)[INTERNAL_BUFFER_SIZE-1]).last_pic_num; //FIXME ugly hack (*picture_number)++; + if(buf->base[0] && (buf->width != w || buf->height != h || buf->pix_fmt != s->pix_fmt)){ + for(i=0; i<4; i++){ + av_freep(&buf->base[i]); + buf->data[i]= NULL; + } + } + if(buf->base[0]){ pic->age= *picture_number - buf->last_pic_num; buf->last_pic_num= *picture_number; @@ -306,6 +315,9 @@ int avcodec_default_get_buffer(AVCodecContext *s, AVFrame *pic){ else buf->data[i] = buf->base[i] + ALIGN((buf->linesize[i]*EDGE_WIDTH>>v_shift) + (EDGE_WIDTH>>h_shift), STRIDE_ALIGN); } + buf->width = s->width; + buf->height = s->height; + buf->pix_fmt= s->pix_fmt; pic->age= 256*256*256*64; } pic->type= FF_BUFFER_TYPE_INTERNAL; |