diff options
author | Thilo Borgmann <thilo.borgmann@googlemail.com> | 2012-04-15 18:07:12 +0200 |
---|---|---|
committer | Reinhard Tartler <siretart@tauware.de> | 2012-10-17 21:31:21 +0200 |
commit | dc5283dffcd41e8a41671d7566dfdd27c25e66bf (patch) | |
tree | 14b6185d33d284bd9b7dd024e6d938f98cb0407f | |
parent | c28e1c12adf43044c54383eec8a581f630fffda8 (diff) | |
download | ffmpeg-dc5283dffcd41e8a41671d7566dfdd27c25e66bf.tar.gz |
alsdec: fix number of decoded samples in first sub-block in BGMC mode.
Fixes CVE-2012-2790
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 66197988b1ee914825afbc3084e6da63f862068a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
-rw-r--r-- | libavcodec/alsdec.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 92b9e6caa5..459e2af928 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -770,7 +770,6 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) int delta[8]; unsigned int k [8]; unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5); - unsigned int i; // read most significant bits unsigned int high; @@ -782,28 +781,29 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) current_res = bd->raw_samples + start; for (sb = 0; sb < sub_blocks; sb++) { + unsigned int sb_len = sb_length - (sb ? 0 : start); + k [sb] = s[sb] > b ? s[sb] - b : 0; delta[sb] = 5 - s[sb] + k[sb]; - ff_bgmc_decode(gb, sb_length, current_res, + ff_bgmc_decode(gb, sb_len, current_res, delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status); - current_res += sb_length; + current_res += sb_len; } ff_bgmc_decode_end(gb); // read least significant bits and tails - i = start; current_res = bd->raw_samples + start; - for (sb = 0; sb < sub_blocks; sb++, i = 0) { + for (sb = 0; sb < sub_blocks; sb++, start = 0) { unsigned int cur_tail_code = tail_code[sx[sb]][delta[sb]]; unsigned int cur_k = k[sb]; unsigned int cur_s = s[sb]; - for (; i < sb_length; i++) { + for (; start < sb_length; start++) { int32_t res = *current_res; if (res == cur_tail_code) { |