aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThilo Borgmann <thilo.borgmann@googlemail.com>2012-04-15 18:07:12 +0200
committerReinhard Tartler <siretart@tauware.de>2013-01-04 07:43:38 +0100
commit9474c93028444f0524e8a09a115fbdc3a3756cd0 (patch)
tree3a0e7a6a1e43da9c2284a28d1175e2eec2e2f2cf
parent7e070cf2025fe7d0d7f296b7c7592e2c9b8cd1e5 (diff)
downloadffmpeg-9474c93028444f0524e8a09a115fbdc3a3756cd0.tar.gz
alsdec: fix number of decoded samples in first sub-block in BGMC mode.
Fixes CVE-2012-2790 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit 66197988b1ee914825afbc3084e6da63f862068a) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
-rw-r--r--libavcodec/alsdec.c12
1 files changed, 6 insertions, 6 deletions
diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index a7d7fd732f..6678daadac 100644
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -769,7 +769,6 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
int delta[8];
unsigned int k [8];
unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5);
- unsigned int i;
// read most significant bits
unsigned int high;
@@ -781,28 +780,29 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
current_res = bd->raw_samples + start;
for (sb = 0; sb < sub_blocks; sb++) {
+ unsigned int sb_len = sb_length - (sb ? 0 : start);
+
k [sb] = s[sb] > b ? s[sb] - b : 0;
delta[sb] = 5 - s[sb] + k[sb];
- ff_bgmc_decode(gb, sb_length, current_res,
+ ff_bgmc_decode(gb, sb_len, current_res,
delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status);
- current_res += sb_length;
+ current_res += sb_len;
}
ff_bgmc_decode_end(gb);
// read least significant bits and tails
- i = start;
current_res = bd->raw_samples + start;
- for (sb = 0; sb < sub_blocks; sb++, i = 0) {
+ for (sb = 0; sb < sub_blocks; sb++, start = 0) {
unsigned int cur_tail_code = tail_code[sx[sb]][delta[sb]];
unsigned int cur_k = k[sb];
unsigned int cur_s = s[sb];
- for (; i < sb_length; i++) {
+ for (; start < sb_length; start++) {
int32_t res = *current_res;
if (res == cur_tail_code) {