dpcm: ignore extra unpaired bytes in stereo streams.
Fixes: CVE-2011-3951 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commitce7aee9b73) (cherry picked from commiteaeaeb265f) Conflicts: libavcodec/dpcm.c Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Alex Converse
committed by
Reinhard Tartler
Reinhard Tartler
parent
2f2fd8c6d1
commit
654b24f68a
@@ -169,6 +169,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
|
|||||||
int in, out = 0;
|
int in, out = 0;
|
||||||
int predictor[2];
|
int predictor[2];
|
||||||
int channel_number = 0;
|
int channel_number = 0;
|
||||||
|
int stereo = s->channels - 1;
|
||||||
short *output_samples = data;
|
short *output_samples = data;
|
||||||
int shift[2];
|
int shift[2];
|
||||||
unsigned char byte;
|
unsigned char byte;
|
||||||
@@ -177,6 +178,9 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
|
|||||||
if (!buf_size)
|
if (!buf_size)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
if (stereo && (buf_size & 1))
|
||||||
|
buf_size--;
|
||||||
|
|
||||||
// almost every DPCM variant expands one byte of data into two
|
// almost every DPCM variant expands one byte of data into two
|
||||||
if(*data_size/2 < buf_size)
|
if(*data_size/2 < buf_size)
|
||||||
return -1;
|
return -1;
|
||||||
@@ -295,7 +299,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
|
|||||||
}
|
}
|
||||||
|
|
||||||
*data_size = out * sizeof(short);
|
*data_size = out * sizeof(short);
|
||||||
return buf_size;
|
return avpkt->size;
|
||||||
}
|
}
|
||||||
|
|
||||||
#define DPCM_DECODER(id, name, long_name_) \
|
#define DPCM_DECODER(id, name, long_name_) \
|
||||||
|
|||||||
Reference in New Issue
Block a user