Commit 59e95fa4 authored by Michael Niedermayer's avatar Michael Niedermayer

h263dec: Disallow width/height changing with frame threads.

Fixes CVE-2011-3937

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 5c011706
......@@ -570,8 +570,7 @@ retry:
#if HAVE_MMX
if (s->codec_id == CODEC_ID_MPEG4 && s->xvid_build>=0 && avctx->idct_algo == FF_IDCT_AUTO && (av_get_cpu_flags() & AV_CPU_FLAG_MMX)) {
avctx->idct_algo= FF_IDCT_XVIDMMX;
avctx->coded_width= 0; // force reinit
// dsputil_init(&s->dsp, avctx);
ff_dct_common_init(s);
s->picture_number=0;
}
#endif
......@@ -585,6 +584,12 @@ retry:
|| s->height != avctx->coded_height) {
/* H.263 could change picture size any time */
ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat
if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) {
av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0);
return -1; // width / height changed during parallelized decoding
}
s->parse_context.buffer=0;
MPV_common_end(s);
s->parse_context= pc;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment