Skip to content

Commit c74740f

Browse files
committed
avcodec/h263dec: Check against previous dimensions instead of coded
Fixes: out of array access Fixes: crash-a41ef3db699013f669b076f02f36942925f5a98c Found-by: Kacper Michajlow <kasper93@gmail.com> Reviewed-by: Kacper Michajlow <kasper93@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 0fe33c9) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
1 parent 9dea077 commit c74740f

File tree

1 file changed

+9
-4
lines changed

1 file changed

+9
-4
lines changed

libavcodec/h263dec.c

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -431,6 +431,7 @@ int ff_h263_decode_frame(AVCodecContext *avctx, AVFrame *pict,
431431
MpegEncContext *s = avctx->priv_data;
432432
int ret;
433433
int slice_ret = 0;
434+
int bak_width, bak_height;
434435

435436
/* no supplementary picture */
436437
if (buf_size == 0) {
@@ -482,6 +483,9 @@ int ff_h263_decode_frame(AVCodecContext *avctx, AVFrame *pict,
482483
if (ret < 0)
483484
return ret;
484485

486+
bak_width = s->width;
487+
bak_height = s->height;
488+
485489
/* let's go :-) */
486490
if (CONFIG_WMV2_DECODER && s->msmpeg4_version == MSMP4_WMV2) {
487491
ret = ff_wmv2_decode_picture_header(s);
@@ -501,11 +505,12 @@ int ff_h263_decode_frame(AVCodecContext *avctx, AVFrame *pict,
501505
}
502506

503507
if (ret < 0 || ret == FRAME_SKIPPED) {
504-
if ( s->width != avctx->coded_width
505-
|| s->height != avctx->coded_height) {
508+
if ( s->width != bak_width
509+
|| s->height != bak_height) {
506510
av_log(s->avctx, AV_LOG_WARNING, "Reverting picture dimensions change due to header decoding failure\n");
507-
s->width = avctx->coded_width;
508-
s->height= avctx->coded_height;
511+
s->width = bak_width;
512+
s->height= bak_height;
513+
509514
}
510515
}
511516
if (ret == FRAME_SKIPPED)

0 commit comments

Comments
 (0)