diff options
| author | Reinhard Tartler <siretart@tauware.de> | 2013-12-08 13:24:26 -0500 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2013-12-14 12:51:40 -0500 |
| commit | 3f7d89034bfe50893927cc92ddcb95a2e9b4178d (patch) | |
| tree | e8142a8d962949ae005a734c0754e601f77beb6b | |
| parent | 718a2ddcb898d8465c6715ac1a6627ca67dc6a22 (diff) | |
| download | ffmpeg-3f7d89034bfe50893927cc92ddcb95a2e9b4178d.tar.gz | |
alsdec: check block length
Fix writing over the end
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Addresses: CVE-2013-0845
(cherry picked from commit 2a0fb7286d67c47e44aa76c237ede117b22af616)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| -rw-r--r-- | libavcodec/alsdec.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index f1d01a2569..cb942c2e7c 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1380,6 +1380,11 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) for (b = 0; b < ctx->num_blocks; b++) { bd.block_length = div_blocks[b]; + if (bd.block_length <= 0) { + av_log(ctx->avctx, AV_LOG_WARNING, + "Invalid block length %d in channel data!\n", bd.block_length); + continue; + } for (c = 0; c < avctx->channels; c++) { bd.const_block = ctx->const_block + c; |