avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup

avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup

The variable is not a constant and can lead to race conditions

Fixes: repro.webm (not reproducable with FFmpeg alone)
Found-by: Dale Curtis <dalecurtis@google.com>
Tested-by: Dale Curtis <dalecurtis@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-6761.patch

diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c
index fff07117aca1df4d4638ca4e277b4c9d1a48e9de..08b72c98501a6fe1cd122fc9c5a711375b45dbc8 100644 (file)
--- a/libavcodec/vp8.c
+++ b/libavcodec/vp8.c
@@ -156,7 +156,7 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7)
     s->mb_height = (s->avctx->coded_height + 15) / 16;
 
     s->mb_layout = is_vp7 || avctx->active_thread_type == FF_THREAD_SLICE &&
-                   FFMIN(s->num_coeff_partitions, avctx->thread_count) > 1;
+                   avctx->thread_count > 1;
     if (!s->mb_layout) { // Frame threading and one thread
         s->macroblocks_base       = av_mallocz((s->mb_width + s->mb_height * 2 + 1) *
                                                sizeof(*s->macroblocks));