From f33b5ba63eee96c9d1c7f0e568169cb0c3694238 Mon Sep 17 00:00:00 2001
From: Luca Barbato <lu_zero@gentoo.org>
Date: Fri, 14 Dec 2012 09:55:04 +0100
Subject: vp56: release frames on error

Fixes CVE-2012-2783

CC: libav-stable@libav.org
---
 libavcodec/vp56.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'libavcodec/vp56.c')

diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c
index 6779ffb6dc..5bd0a1abef 100644
--- a/libavcodec/vp56.c
+++ b/libavcodec/vp56.c
@@ -514,8 +514,14 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
         s->modelp = &s->models[is_alpha];
 
         res = s->parse_header(s, buf, remaining_buf_size, &golden_frame);
-        if (res < 0)
+        if (res < 0) {
+            int i;
+            for (i = 0; i < 4; i++) {
+                if (s->frames[i].data[0])
+                    avctx->release_buffer(avctx, &s->frames[i]);
+            }
             return res;
+        }
 
         if (res == VP56_SIZE_CHANGE) {
             int i;
-- 
cgit v1.2.3