From 7fd7950174f9f2935fbf5bf1435fd0dc37be5c61 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 14 Dec 2012 09:55:04 +0100 Subject: [PATCH] vp56: release frames on error Fixes CVE-2012-2783 CC: libav-stable@libav.org (cherry picked from commit f33b5ba63eee96c9d1c7f0e568169cb0c3694238) Signed-off-by: Reinhard Tartler --- libavcodec/vp56.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 96f40a1bd0..b06ea7a5b2 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -511,8 +511,14 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size, s->modelp = &s->models[is_alpha]; res = s->parse_header(s, buf, remaining_buf_size, &golden_frame); - if (res < 0) + if (res < 0) { + int i; + for (i = 0; i < 4; i++) { + if (s->frames[i].data[0]) + avctx->release_buffer(avctx, &s->frames[i]); + } return res; + } if (res == VP56_SIZE_CHANGE) { int i;