[FFmpeg-cvslog] cavsdec: check for changing w/h.
Michael Niedermayer
git at videolan.org
Sat Sep 29 14:46:47 CEST 2012
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Sat Mar 24 02:40:24 2012 +0100| [c20a69630619d14ae92c5541d52c579d7c8f3e94] | committer: Anton Khirnov
cavsdec: check for changing w/h.
Our decoder does not support changing w/h.
Fixes CVE-2012-2777 and CVE-2012-2784.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton at khirnov.net>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c20a69630619d14ae92c5541d52c579d7c8f3e94
---
libavcodec/cavsdec.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 33e639b..e55e4f6 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -1056,12 +1056,21 @@ static int decode_pic(AVSContext *h) {
static int decode_seq_header(AVSContext *h) {
MpegEncContext *s = &h->s;
int frame_rate_code;
+ int width, height;
h->profile = get_bits(&s->gb,8);
h->level = get_bits(&s->gb,8);
skip_bits1(&s->gb); //progressive sequence
- s->width = get_bits(&s->gb,14);
- s->height = get_bits(&s->gb,14);
+
+ width = get_bits(&s->gb, 14);
+ height = get_bits(&s->gb, 14);
+ if ((s->width || s->height) && (s->width != width || s->height != height)) {
+ av_log_missing_feature(s, "Width/height changing in CAVS is", 0);
+ return AVERROR_PATCHWELCOME;
+ }
+ s->width = width;
+ s->height = height;
+
skip_bits(&s->gb,2); //chroma format
skip_bits(&s->gb,3); //sample_precision
h->aspect_ratio = get_bits(&s->gb,4);
More information about the ffmpeg-cvslog
mailing list