Browse Source

avcodec/rawdec: Check the return code of avpicture_get_size()

Fixes out of array access
Fixes: asan_heap-oob_22388d0_3435_cov_3297128910_small_roll5_FlashCine1.cine
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1d3a3b9f89)

Conflicts:

	libavcodec/rawdec.c
tags/n2.3.6
Michael Niedermayer 11 years ago
parent
commit
e0822b147f
1 changed files with 3 additions and 0 deletions
  1. +3
    -0
      libavcodec/rawdec.c

+ 3
- 0
libavcodec/rawdec.c View File

@@ -117,6 +117,9 @@ static av_cold int raw_init_decoder(AVCodecContext *avctx)
context->frame_size = avpicture_get_size(avctx->pix_fmt, avctx->width, context->frame_size = avpicture_get_size(avctx->pix_fmt, avctx->width,
avctx->height); avctx->height);
} }
if (context->frame_size < 0)
return context->frame_size;



if ((avctx->extradata_size >= 9 && if ((avctx->extradata_size >= 9 &&
!memcmp(avctx->extradata + avctx->extradata_size - 9, "BottomUp", 9)) || !memcmp(avctx->extradata + avctx->extradata_size - 9, "BottomUp", 9)) ||


Loading…
Cancel
Save