dv: check stype

dv: check stype Fixes part1 of CVE-2011-3929 Possibly fixes part of CVE-2011-3936 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Alex Converse <alex.converse@gmail.com> (cherry picked from commit 635bcfccd439480003b74a665b5aa7c872c1ad6b) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
author: Michael Niedermayer <michaelni@gmx.at> 2012-01-24 17:48:23 +0100
committer: Reinhard Tartler <siretart@tauware.de> 2012-04-01 18:33:28 +0200
commit: bb737d381f6d6413899a0697f426fb082eac66fc (patch)
tree: f7d9522dd1e6891b0a2c7c181e2c9ac37b4208b9
parent: 0100c4b1b0736e0f5b3c98f9b0ab8acbef574888 (diff)
download: ffmpeg-bb737d381f6d6413899a0697f426fb082eac66fc.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/libavformat/dv.c b/libavformat/dv.c
index 4b41e0aa8e..fe6dac600e 100644
--- a/libavformat/dv.c
+++ b/libavformat/dv.c
@@ -202,6 +202,12 @@ static int dv_extract_audio_info(DVDemuxContext* c, uint8_t* frame)
     stype = (as_pack[3] & 0x1f);      /* 0 - 2CH, 2 - 4CH, 3 - 8CH */
     quant =  as_pack[4] & 0x07;       /* 0 - 16bit linear, 1 - 12bit nonlinear */
 
+    if (stype > 3) {
+        av_log(c->fctx, AV_LOG_ERROR, "stype %d is invalid\n", stype);
+        c->ach = 0;
+        return 0;
+    }
+
     /* note: ach counts PAIRS of channels (i.e. stereo channels) */
     ach = ((int[4]){  1,  0,  2,  4})[stype];
     if (ach == 1 && quant && freq == 2)
author	Michael Niedermayer <michaelni@gmx.at>	2012-01-24 17:48:23 +0100
committer	Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:28 +0200
commit	bb737d381f6d6413899a0697f426fb082eac66fc (patch)
tree	f7d9522dd1e6891b0a2c7c181e2c9ac37b4208b9
parent	0100c4b1b0736e0f5b3c98f9b0ab8acbef574888 (diff)
download	ffmpeg-bb737d381f6d6413899a0697f426fb082eac66fc.tar.gz