diff options
Diffstat (limited to 'main/ffmpeg/CVE-2014-5271.patch')
| -rw-r--r-- | main/ffmpeg/CVE-2014-5271.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/main/ffmpeg/CVE-2014-5271.patch b/main/ffmpeg/CVE-2014-5271.patch new file mode 100644 index 0000000000..f496fb4afe --- /dev/null +++ b/main/ffmpeg/CVE-2014-5271.patch @@ -0,0 +1,55 @@ +From 52b81ff4635c077b2bc8b8d3637d933b6629d803 Mon Sep 17 00:00:00 2001 +From: Christophe Gisquet <christophe.gisquet@gmail.com> +Date: Mon, 11 Aug 2014 22:06:08 +0000 +Subject: [PATCH] proresenc_kostya: report buffer overflow + +If the allocated size, despite best efforts, is too small, exit +with the appropriate error. + +Signed-off-by: Michael Niedermayer <michaelni@gmx.at> +--- + libavcodec/proresenc_kostya.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c +index 24cb333..a70ae3c 100644 +--- a/libavcodec/proresenc_kostya.c ++++ b/libavcodec/proresenc_kostya.c +@@ -570,6 +570,11 @@ static int encode_slice(AVCodecContext *avctx, const AVFrame *pic, + quant); + } + total_size += sizes[i]; ++ if (put_bits_left(pb) < 0) { ++ av_log(avctx, AV_LOG_ERROR, "Serious underevaluation of" ++ "required buffer size"); ++ return AVERROR_BUFFER_TOO_SMALL; ++ } + } + return total_size; + } +@@ -940,9 +945,9 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, + avctx->coded_frame->pict_type = AV_PICTURE_TYPE_I; + avctx->coded_frame->key_frame = 1; + +- pkt_size = ctx->frame_size_upper_bound + FF_MIN_BUFFER_SIZE; ++ pkt_size = ctx->frame_size_upper_bound; + +- if ((ret = ff_alloc_packet2(avctx, pkt, pkt_size)) < 0) ++ if ((ret = ff_alloc_packet2(avctx, pkt, pkt_size + FF_MIN_BUFFER_SIZE)) < 0) + return ret; + + orig_buf = pkt->data; +@@ -1019,7 +1024,9 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, + slice_hdr = buf; + buf += slice_hdr_size - 1; + init_put_bits(&pb, buf, (pkt_size - (buf - orig_buf)) * 8); +- encode_slice(avctx, pic, &pb, sizes, x, y, q, mbs_per_slice); ++ ret = encode_slice(avctx, pic, &pb, sizes, x, y, q, mbs_per_slice); ++ if (ret < 0) ++ return ret; + + bytestream_put_byte(&slice_hdr, q); + slice_size = slice_hdr_size + sizes[ctx->num_planes - 1]; +-- +1.7.10.4 + |