From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 30 Sep 2015 09:10:48 +0000 (+0200)
Subject: avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup
X-Git-Tag: archive/raspbian/6%11.12-1_deb8u5+rpi1^2~43
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=10fa2c71b0ecf999e72e8f10743e11c190d91b97;p=libav.git

avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup

avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup

The variable is not a constant and can lead to race conditions

Fixes: repro.webm (not reproducable with FFmpeg alone)

Found-by: Dale Curtis <dalecurtis@google.com>
Tested-by: Dale Curtis <dalecurtis@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Gbp-Pq: Name CVE-2015-6761.patch
---

diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c
index fff0711..08b72c9 100644
--- a/libavcodec/vp8.c
+++ b/libavcodec/vp8.c
@@ -156,7 +156,7 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7)
     s->mb_height = (s->avctx->coded_height + 15) / 16;
 
     s->mb_layout = is_vp7 || avctx->active_thread_type == FF_THREAD_SLICE &&
-                   FFMIN(s->num_coeff_partitions, avctx->thread_count) > 1;
+                   avctx->thread_count > 1;
     if (!s->mb_layout) { // Frame threading and one thread
         s->macroblocks_base       = av_mallocz((s->mb_width + s->mb_height * 2 + 1) *
                                                sizeof(*s->macroblocks));