generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

dpcm: ignore extra unpaired bytes in stereo streams.

Browse Source 
Fixes: CVE-2011-3951

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ce7aee9b73)
(cherry picked from commit eaeaeb265f)

Conflicts:

	libavcodec/dpcm.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 1ce9c93198fc997e8f23934a78e2937af670e4e9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 41f1f146c9e29dde63e293078819474c9b8111a1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Alex Converse
2012-02-17 14:13:40 -08:00
committed by Reinhard Tartler
parent 4b2e02a4c4
commit 7944a87ba8
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
libavcodec/dpcm.c
View File

@@ -167,6 +167,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
int in, out = 0;
int predictor[2];
int channel_number = 0;
int stereo = s->channels - 1;
short *output_samples = data;
int shift[2];
unsigned char byte;
@@ -175,6 +176,9 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
if (!buf_size)
return 0;
if (stereo && (buf_size & 1))
buf_size--;
// almost every DPCM variant expands one byte of data into two
if(*data_size/2 < buf_size)
return -1;