• Reimar Döffinger's avatar
    mss2: Fix buffer overflow. · 0f199f0a
    Reimar Döffinger authored
    Reported as https://trac.mplayerhq.hu/ticket/2264 but have
    not been able to reproduce with FFmpeg-only.
    I have no idea what coded_height is used for here exactly,
    so this might not be the best fix.
    Fixes the following chain of events:
    ff_mss12_decode_init sets coded_height while not setting height.
    ff_mpv_decode_init then copies coded_height into MpegEncContext height.
    This is then used by init_context_frame to allocate the data structures.
    However the wmv9rects are validated/initialized based on avctx->height, not
    avctx->coded_height.
    Thus the decode_wmv9 function will try to decode a larger video that we
    allocated data structures for, causing out-of-bounds writes.
    Signed-off-by: 's avatarReimar Döffinger <Reimar.Doeffinger@gmx.de>
    0f199f0a
mss12.c 20.7 KB