| Patrick Williams | b48b7b4 | 2016-08-17 15:04:38 -0500 | [diff] [blame^] | 1 | gst-ffmpeg: vp3: Copy all 3 frames for thread updates. |
| 2 | |
| 3 | This fixes a double release of the current frame on deinit. |
| 4 | Fixes CVE-2011-3934 |
| 5 | |
| 6 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind |
| 7 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> |
| 8 | |
| 9 | Upstream-Status: Backport |
| 10 | |
| 11 | Signed-off-by: Yue.Tao <yue.tao@windriver.com> |
| 12 | |
| 13 | --- |
| 14 | libavcodec/vp3.c | 2 +- |
| 15 | 1 files changed, 1 insertions(+), 1 deletions(-) |
| 16 | |
| 17 | diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c |
| 18 | index 738ae9f..b5daafc 100644 |
| 19 | --- a/gst-libs/ext/libav/libavcodec/vp3.c |
| 20 | +++ b/gst-libs/ext/libav/libavcodec/vp3.c |
| 21 | @@ -1859,7 +1859,7 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext * |
| 22 | ||s->width != s1->width |
| 23 | ||s->height!= s1->height) { |
| 24 | if (s != s1) |
| 25 | - copy_fields(s, s1, golden_frame, current_frame); |
| 26 | + copy_fields(s, s1, golden_frame, keyframe); |
| 27 | return -1; |
| 28 | } |
| 29 | |
| 30 | -- |
| 31 | 1.7.5.4 |
| 32 | |