vp56: release frames on error

Fixes CVE-2012-2783 CC: libav-stable@libav.org (cherry picked from commit f33b5ba63e) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-12-14 09:55:04 +01:00 · 2012-12-14 09:55:04 +01:00 · 7fd7950174
parent 700fb8c8dd
commit 7fd7950174
1 changed files with 7 additions and 1 deletions
--- a/libavcodec/vp56.c
+++ b/libavcodec/vp56.c
@ -511,8 +511,14 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
        s->modelp = &s->models[is_alpha];

        res = s->parse_header(s, buf, remaining_buf_size, &golden_frame);
-        if (res < 0)
+        if (res < 0) {
+            int i;
+            for (i = 0; i < 4; i++) {
+                if (s->frames[i].data[0])
+                    avctx->release_buffer(avctx, &s->frames[i]);
+            }
            return res;
+        }

        if (res == VP56_SIZE_CHANGE) {
            int i;