generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

alsdec: check opt_order.

Browse Source 
Fixes out of array write in quant_cof.
Also make sure no invalid opt_order stays in the context.

Fixes CVE-2012-2775

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 9853e41aa0a6cfff629ff7009685eb8bf8d64e7f)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
This commit is contained in:
Michael Niedermayer 2012-03-24 01:39:13 +01:00 committed by Anton Khirnov
parent d9ffa2aca1
commit a1b127515b
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
libavcodec/alsdec.c
View File

@ -663,6 +663,11 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1, int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1,
2, sconf->max_order + 1)); 2, sconf->max_order + 1));
*bd->opt_order = get_bits(gb, opt_order_length); *bd->opt_order = get_bits(gb, opt_order_length);
if (*bd->opt_order > sconf->max_order) {
*bd->opt_order = sconf->max_order;
av_log(avctx, AV_LOG_ERROR, "Predictor order too large!\n");
return AVERROR_INVALIDDATA;
}
} else { } else {
*bd->opt_order = sconf->max_order; *bd->opt_order = sconf->max_order;
} }