avcodec: Introduce ff_get_buffer

Validate the image size there as is done in the other release branches. Bug-Id: CVE-2011-3935 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

avcodec: Introduce ff_get_buffer
Validate the image size there as is done in the other release branches. Bug-Id: CVE-2011-3935 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
0ab76ddf · Luca Barbato · 042c25f5 · 0ab76ddf · 0ab76ddf · 0ab76ddf
Commit 0ab76ddf authored 10 years ago by Luca Barbato
Hide whitespace changes
Inline Side-by-side

Showing

with 38 additions and 21 deletions
+38 -21
--- a/avplay.c
+++ b/avplay.c
@@ -1584,7 +1584,7 @@ static int input_reget_buffer(AVCodecContext *codec, AVFrame *pic)

    if (pic->data[0] == NULL) {
        pic->buffer_hints |= FF_BUFFER_HINTS_READABLE;
-        return codec->get_buffer(codec, pic);
+        return input_get_buffer(codec, pic);
    }

    if ((codec->width != ref->video->w) || (codec->height != ref->video->h) ||

--- a/libavcodec/8svx.c
+++ b/libavcodec/8svx.c
@@ -29,6 +29,7 @@
 */

 #include "avcodec.h"
+#include "internal.h"

 /** decoder context */
 typedef struct EightSvxContext {
@@ -141,7 +142,7 @@ static int eightsvx_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    esc->frame.nb_samples = buf_size * (is_compr + 1);
-    if ((ret = avctx->get_buffer(avctx, &esc->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &esc->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }

--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -2246,7 +2246,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data,
    if (samples) {
        /* get output buffer */
        ac->frame.nb_samples = samples;
-        if ((err = avctx->get_buffer(avctx, &ac->frame)) < 0) {
+        if ((err = ff_get_buffer(avctx, &ac->frame)) < 0) {
            av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
            return err;
        }

--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@@ -1411,7 +1411,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,

    /* get output buffer */
    s->frame.nb_samples = s->num_blocks * 256;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }

--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -18,6 +18,7 @@
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 */
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "put_bits.h"
 #include "bytestream.h"
@@ -547,7 +548,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    c->frame.nb_samples = nb_samples;
-    if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }

--- a/libavcodec/adxdec.c
+++ b/libavcodec/adxdec.c
@@ -21,6 +21,7 @@

 #include "libavutil/intreadwrite.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "adx.h"
 #include "get_bits.h"

@@ -140,7 +141,7 @@ static int adx_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    c->frame.nb_samples = num_blocks * BLOCK_SAMPLES;
-    if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }

--- a/libavcodec/alac.c
+++ b/libavcodec/alac.c
@@ -47,6 +47,7 @@


 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "bytestream.h"
 #include "unary.h"
@@ -402,7 +403,7 @@ static int alac_decode_frame(AVCodecContext *avctx, void *data,
        return AVERROR_INVALIDDATA;
    }
    alac->frame.nb_samples = outputsamples;
-    if ((ret = avctx->get_buffer(avctx, &alac->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &alac->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }

--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -30,6 +30,7 @@


 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "unary.h"
 #include "mpeg4audio.h"
@@ -1484,7 +1485,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,

    /* get output buffer */
    ctx->frame.nb_samples = ctx->cur_frame_length;
-    if ((ret = avctx->get_buffer(avctx, &ctx->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &ctx->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }

--- a/libavcodec/amrnbdec.c
+++ b/libavcodec/amrnbdec.c
@@ -44,6 +44,7 @@
 #include <math.h>

 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "libavutil/common.h"
 #include "celp_math.h"
@@ -944,7 +945,7 @@ static int amrnb_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    p->avframe.nb_samples = AMR_BLOCK_SIZE;
-    if ((ret = avctx->get_buffer(avctx, &p->avframe)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &p->avframe)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }

--- a/libavcodec/amrwbdec.c
+++ b/libavcodec/amrwbdec.c
@@ -27,6 +27,7 @@
 #include "libavutil/lfg.h"

 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "lsp.h"
 #include "celp_math.h"
@@ -1087,7 +1088,7 @@ static int amrwb_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    ctx->avframe.nb_samples = 4 * AMRWB_SFR_SIZE_16k;
-    if ((ret = avctx->get_buffer(avctx, &ctx->avframe)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &ctx->avframe)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }

--- a/libavcodec/ansi.c
+++ b/libavcodec/ansi.c
@@ -26,6 +26,7 @@

 #include "libavutil/lfg.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "cga_data.h"

 #define ATTR_BOLD         0x01  /**< Bold/Bright-foreground (mode 1) */
@@ -221,7 +222,7 @@ static int execute_code(AVCodecContext * avctx, int c)
            if (s->frame.data[0])
                avctx->release_buffer(avctx, &s->frame);
            avcodec_set_dimensions(avctx, width, height);
-            ret = avctx->get_buffer(avctx, &s->frame);
+            ret = ff_get_buffer(avctx, &s->frame);
            if (ret < 0) {
                av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
                return ret;

--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -22,6 +22,7 @@

 #define BITSTREAM_READER_LE
 #include "avcodec.h"
+#include "internal.h"
 #include "dsputil.h"
 #include "get_bits.h"
 #include "bytestream.h"
@@ -887,7 +888,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    s->frame.nb_samples = blockstodecode;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }

--- a/libavcodec/atrac1.c
+++ b/libavcodec/atrac1.c
@@ -33,6 +33,7 @@
 #include <stdio.h>

 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "fft.h"
@@ -291,7 +292,7 @@ static int atrac1_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    q->frame.nb_samples = AT1_SU_SAMPLES;
-    if ((ret = avctx->get_buffer(avctx, &q->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &q->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }

--- a/libavcodec/atrac3.c
+++ b/libavcodec/atrac3.c
@@ -37,6 +37,7 @@
 #include <stdio.h>

 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "bytestream.h"
@@ -852,7 +853,7 @@ static int atrac3_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    q->frame.nb_samples = SAMPLES_PER_FRAME;
-    if ((result = avctx->get_buffer(avctx, &q->frame)) < 0) {
+    if ((result = ff_get_buffer(avctx, &q->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return result;
    }

--- a/libavcodec/binkaudio.c
+++ b/libavcodec/binkaudio.c
@@ -29,6 +29,7 @@
 */

 #include "avcodec.h"
+#include "internal.h"
 #define BITSTREAM_READER_LE
 #include "get_bits.h"
 #include "dsputil.h"
@@ -340,7 +341,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    s->frame.nb_samples = s->block_size / avctx->channels;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }

--- a/libavcodec/bmv.c
+++ b/libavcodec/bmv.c
@@ -20,6 +20,7 @@
 */

 #include "avcodec.h"
+#include "internal.h"
 #include "bytestream.h"

 enum BMVFlags{
@@ -265,7 +266,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
    avctx->pix_fmt = PIX_FMT_PAL8;

    c->pic.reference = 1;
-    if (avctx->get_buffer(avctx, &c->pic) < 0) {
+    if (ff_get_buffer(avctx, &c->pic) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return -1;
    }
@@ -330,7 +331,7 @@ static int bmv_aud_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    c->frame.nb_samples = total_blocks * 32;
-    if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }

--- a/libavcodec/cdgraphics.c
+++ b/libavcodec/cdgraphics.c
@@ -20,6 +20,7 @@
 */

 #include "avcodec.h"
+#include "internal.h"
 #include "bytestream.h"

 /**
@@ -331,7 +332,7 @@ static int cdg_decode_frame(AVCodecContext *avctx,
            }

            cdg_init_frame(&new_frame);
-            ret = avctx->get_buffer(avctx, &new_frame);
+            ret = ff_get_buffer(avctx, &new_frame);
            if (ret) {
                av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
                return ret;

--- a/libavcodec/cook.c
+++ b/libavcodec/cook.c
@@ -44,6 +44,7 @@

 #include "libavutil/lfg.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "bytestream.h"
@@ -991,7 +992,7 @@ static int cook_decode_frame(AVCodecContext *avctx, void *data,
    /* get output buffer */
    if (q->discarded_packets >= 2) {
        q->frame.nb_samples = q->samples_per_channel;
-        if ((ret = avctx->get_buffer(avctx, &q->frame)) < 0) {
+        if ((ret = ff_get_buffer(avctx, &q->frame)) < 0) {
            av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
            return ret;
        }

--- a/libavcodec/dca.c
+++ b/libavcodec/dca.c
@@ -32,6 +32,7 @@
 #include "libavutil/mathematics.h"
 #include "libavutil/audioconvert.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "dsputil.h"
 #include "fft.h"
 #include "get_bits.h"
@@ -1902,7 +1903,7 @@ static int dca_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    s->frame.nb_samples = 256 * (s->sample_blocks / 8);
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }

--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -21,6 +21,7 @@
 */

 #include "avcodec.h"
+#include "internal.h"
 #include "bytestream.h"

 #include "libavutil/imgutils.h"
@@ -325,7 +326,7 @@ static int dfa_decode_frame(AVCodecContext *avctx,
    if (s->pic.data[0])
        avctx->release_buffer(avctx, &s->pic);

-    if ((ret = avctx->get_buffer(avctx, &s->pic))) {
+    if ((ret = ff_get_buffer(avctx, &s->pic))) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }