ws_snd1: Fix wrong samples count and crash.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 9fb7a5af97d8c084c3af2566070d09eae0ab49fc) Addresses CVE-2012-0848 Reviewed-by: Justin Ruggles <justin.ruggles@gmail.com> Signed-off-by: Reinhard Tartler <siretart@tauware.de>
author: Michael Niedermayer <michaelni@gmx.at> 2011-12-25 00:10:27 +0100
committer: Reinhard Tartler <siretart@tauware.de> 2012-02-26 10:03:05 +0100
commit: 697a45d861b7cd6a96718383a44f41348487f844 (patch)
tree: 01e999d001c722dd298da40f8f248a52cdaf5129
parent: 4c7879775e81ccca8f0f1d2a7b70524ee47b16ca (diff)
download: ffmpeg-697a45d861b7cd6a96718383a44f41348487f844.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c
index b2d086e073..15eb6f895a 100644
--- a/libavcodec/ws-snd1.c
+++ b/libavcodec/ws-snd1.c
@@ -112,8 +112,8 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, void *data,
 
         /* make sure we don't write past the output buffer */
         switch (code) {
-        case 0:  smp = 4;                              break;
-        case 1:  smp = 2;                              break;
+        case 0:  smp = 4*(count+1);                    break;
+        case 1:  smp = 2*(count+1);                    break;
         case 2:  smp = (count & 0x20) ? 1 : count + 1; break;
         default: smp = count + 1;                      break;
         }
author	Michael Niedermayer <michaelni@gmx.at>	2011-12-25 00:10:27 +0100
committer	Reinhard Tartler <siretart@tauware.de>	2012-02-26 10:03:05 +0100
commit	697a45d861b7cd6a96718383a44f41348487f844 (patch)
tree	01e999d001c722dd298da40f8f248a52cdaf5129
parent	4c7879775e81ccca8f0f1d2a7b70524ee47b16ca (diff)
download	ffmpeg-697a45d861b7cd6a96718383a44f41348487f844.tar.gz