h263dec: Disallow width/height changing with frame threads.

Fixes CVE-2011-3937 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-01-25 01:30:43 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2012-01-25 06:48:30 +0100
commit: 59e95fa4a8844d2abe7ddd7b8d269ea8d8eea17d (patch)
tree: 2cf0dd6a0e3a2d744027082d4e56930be9c09ebf /libavcodec/h263dec.c
parent: 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c
index fcb62732b5..621f7ad9f2 100644
--- a/libavcodec/h263dec.c
+++ b/libavcodec/h263dec.c
@@ -570,8 +570,7 @@ retry:
 #if HAVE_MMX
     if (s->codec_id == CODEC_ID_MPEG4 && s->xvid_build>=0 && avctx->idct_algo == FF_IDCT_AUTO && (av_get_cpu_flags() & AV_CPU_FLAG_MMX)) {
         avctx->idct_algo= FF_IDCT_XVIDMMX;
-        avctx->coded_width= 0; // force reinit
-//        dsputil_init(&s->dsp, avctx);
+        ff_dct_common_init(s);
         s->picture_number=0;
     }
 #endif
@@ -585,6 +584,12 @@ retry:
         || s->height != avctx->coded_height) {
         /* H.263 could change picture size any time */
         ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat
+
+        if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) {
+            av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0);
+            return -1;   // width / height changed during parallelized decoding
+        }
+
         s->parse_context.buffer=0;
         MPV_common_end(s);
         s->parse_context= pc;
author	Michael Niedermayer <michaelni@gmx.at>	2012-01-25 01:30:43 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2012-01-25 06:48:30 +0100
commit	59e95fa4a8844d2abe7ddd7b8d269ea8d8eea17d (patch)
tree	2cf0dd6a0e3a2d744027082d4e56930be9c09ebf /libavcodec/h263dec.c
parent	5c011706bc752d34bc6ada31d7df2ca0c9af7c6b (diff)