diff options
author | Anton Khirnov <anton@khirnov.net> | 2012-09-29 08:40:42 +0200 |
---|---|---|
committer | Anton Khirnov <anton@khirnov.net> | 2012-09-29 10:29:53 +0200 |
commit | 065b3a1cfa3f23aedf76244b3f3883ba913173ff (patch) | |
tree | aa59c2067d44dd6c9ec019a6bd720c7f3e3784ea | |
parent | 4a969030e4d10f3f07fa52436ed3d3c6689694e0 (diff) | |
download | ffmpeg-065b3a1cfa3f23aedf76244b3f3883ba913173ff.tar.gz |
wmalosslessdec: increase channel_coeffs/residues size
Fixes CVE-2012-2792
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
-rw-r--r-- | libavcodec/wmalosslessdec.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 8300b17184..c67a392bfe 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -23,6 +23,8 @@ */ #include "libavutil/attributes.h" +#include "libavutil/avassert.h" + #include "avcodec.h" #include "internal.h" #include "get_bits.h" @@ -158,14 +160,14 @@ typedef struct WmallDecodeCtx { int ave_sum[2]; - int channel_residues[2][2048]; + int channel_residues[2][WMALL_BLOCK_MAX_SIZE]; int lpc_coefs[2][40]; int lpc_order; int lpc_scaling; int lpc_intbits; - int channel_coeffs[2][2048]; + int channel_coeffs[2][WMALL_BLOCK_MAX_SIZE]; } WmallDecodeCtx; @@ -215,6 +217,7 @@ static av_cold int decode_init(AVCodecContext *avctx) /* get frame len */ s->samples_per_frame = 1 << ff_wma_get_frame_len_bits(avctx->sample_rate, 3, s->decode_flags); + av_assert0(s->samples_per_frame <= WMALL_BLOCK_MAX_SIZE); /* init previous block len */ for (i = 0; i < avctx->channels; i++) |