aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnton Khirnov <anton@khirnov.net>2012-09-29 08:40:42 +0200
committerAnton Khirnov <anton@khirnov.net>2012-09-29 10:29:53 +0200
commit065b3a1cfa3f23aedf76244b3f3883ba913173ff (patch)
treeaa59c2067d44dd6c9ec019a6bd720c7f3e3784ea
parent4a969030e4d10f3f07fa52436ed3d3c6689694e0 (diff)
downloadffmpeg-065b3a1cfa3f23aedf76244b3f3883ba913173ff.tar.gz
wmalosslessdec: increase channel_coeffs/residues size
Fixes CVE-2012-2792 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
-rw-r--r--libavcodec/wmalosslessdec.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c
index 8300b17184..c67a392bfe 100644
--- a/libavcodec/wmalosslessdec.c
+++ b/libavcodec/wmalosslessdec.c
@@ -23,6 +23,8 @@
*/
#include "libavutil/attributes.h"
+#include "libavutil/avassert.h"
+
#include "avcodec.h"
#include "internal.h"
#include "get_bits.h"
@@ -158,14 +160,14 @@ typedef struct WmallDecodeCtx {
int ave_sum[2];
- int channel_residues[2][2048];
+ int channel_residues[2][WMALL_BLOCK_MAX_SIZE];
int lpc_coefs[2][40];
int lpc_order;
int lpc_scaling;
int lpc_intbits;
- int channel_coeffs[2][2048];
+ int channel_coeffs[2][WMALL_BLOCK_MAX_SIZE];
} WmallDecodeCtx;
@@ -215,6 +217,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
/* get frame len */
s->samples_per_frame = 1 << ff_wma_get_frame_len_bits(avctx->sample_rate,
3, s->decode_flags);
+ av_assert0(s->samples_per_frame <= WMALL_BLOCK_MAX_SIZE);
/* init previous block len */
for (i = 0; i < avctx->channels; i++)