generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

cavsdec: check for changing w/h.

Browse Source 
Our decoder does not support changing w/h.

Fixes CVE-2012-2777 and CVE-2012-2784.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit c20a696306)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Michael Niedermayer
2012-03-24 02:40:24 +01:00
committed by Reinhard Tartler
parent d1729c3715
commit 4fac60d568
1 changed files with 11 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
libavcodec/cavsdec.c
View File

@@ -599,12 +599,21 @@ static int decode_pic(AVSContext *h) {
static int decode_seq_header(AVSContext *h) {
MpegEncContext *s = &h->s;
int frame_rate_code;
int width, height;
h->profile = get_bits(&s->gb,8);
h->level = get_bits(&s->gb,8);
skip_bits1(&s->gb); //progressive sequence
s->width = get_bits(&s->gb,14);
s->height = get_bits(&s->gb,14);
width = get_bits(&s->gb, 14);
height = get_bits(&s->gb, 14);
if ((s->width || s->height) && (s->width != width || s->height != height)) {
av_log(s, AV_LOG_ERROR, "Width/height changing in CAVS is unsupported");
return AVERROR_PATCHWELCOME;
}
s->width = width;
s->height = height;
skip_bits(&s->gb,2); //chroma format
skip_bits(&s->gb,3); //sample_precision
h->aspect_ratio = get_bits(&s->gb,4);