lavc: Check the image size before calling get_buffer

Bug-Id: CVE-2011-3935 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
2014-08-04 14:15:45 +02:00
parent 43d6764327
commit 146b187113
1 changed files with 2 additions and 0 deletions
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -465,6 +465,8 @@ int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame)
 {
    switch (avctx->codec_type) {
    case AVMEDIA_TYPE_VIDEO:
+        if (av_image_check_size(avctx->width, avctx->height, 0, avctx))
+             return AVERROR_INVALIDDATA;
        frame->width               = avctx->width;
        frame->height              = avctx->height;
        frame->format              = avctx->pix_fmt;