dpcm: ignore extra unpaired bytes in stereo streams.

Fixes: CVE-2011-3951 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
author: Alex Converse <alex.converse@gmail.com> 2012-02-17 14:13:40 -0800
committer: Alex Converse <alex.converse@gmail.com> 2012-02-17 15:42:23 -0800
commit: ce7aee9b733134649a6ce2fa743e51733f33e67e (patch)
tree: 6d787b5e717402a8daf5650306627d3f3353bfa1 /libavcodec/dpcm.c
parent: 3e13005cac6e076053276b515f5fcf59a3f4b65d (diff)
download: ffmpeg-ce7aee9b733134649a6ce2fa743e51733f33e67e.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c
index 1b0f6b005b..7f5dbfe3b9 100644
--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -183,6 +183,11 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
     int stereo = s->channels - 1;
     int16_t *output_samples;
 
+    if (stereo && (buf_size & 1)) {
+        buf_size--;
+        buf_end--;
+    }
+
     /* calculate output size */
     switch(avctx->codec->id) {
     case CODEC_ID_ROQ_DPCM:
@@ -317,7 +322,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
     *got_frame_ptr   = 1;
     *(AVFrame *)data = s->frame;
 
-    return buf_size;
+    return avpkt->size;
 }
 
 #define DPCM_DECODER(id_, name_, long_name_)                \
author	Alex Converse <alex.converse@gmail.com>	2012-02-17 14:13:40 -0800
committer	Alex Converse <alex.converse@gmail.com>	2012-02-17 15:42:23 -0800
commit	ce7aee9b733134649a6ce2fa743e51733f33e67e (patch)
tree	6d787b5e717402a8daf5650306627d3f3353bfa1 /libavcodec/dpcm.c
parent	3e13005cac6e076053276b515f5fcf59a3f4b65d (diff)
download	ffmpeg-ce7aee9b733134649a6ce2fa743e51733f33e67e.tar.gz