ws_snd1: Fix wrong samples counts.

This makes the check that avoids overwrite of the samples array actually work properly. fixes CVE-2012-0848 CC: libav-stable@libav.org Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
author: Michael Niedermayer <michaelni@gmx.at> 2011-12-25 00:10:27 +0100
committer: Justin Ruggles <justin.ruggles@gmail.com> 2012-02-16 15:18:45 -0500
commit: 9fb7a5af97d8c084c3af2566070d09eae0ab49fc (patch)
tree: 3d2fb28eae6d4aaeadf3571503bca0cab8ee4d3c /libavcodec/ws-snd1.c
parent: 51df7b232f19f85188cca30fce26eb3587126ab3 (diff)
download: ffmpeg-9fb7a5af97d8c084c3af2566070d09eae0ab49fc.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c
index b2d086e073..e8e4d1567c 100644
--- a/libavcodec/ws-snd1.c
+++ b/libavcodec/ws-snd1.c
@@ -112,8 +112,8 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, void *data,
 
         /* make sure we don't write past the output buffer */
         switch (code) {
-        case 0:  smp = 4;                              break;
-        case 1:  smp = 2;                              break;
+        case 0:  smp = 4 * (count + 1);                break;
+        case 1:  smp = 2 * (count + 1);                break;
         case 2:  smp = (count & 0x20) ? 1 : count + 1; break;
         default: smp = count + 1;                      break;
         }
author	Michael Niedermayer <michaelni@gmx.at>	2011-12-25 00:10:27 +0100
committer	Justin Ruggles <justin.ruggles@gmail.com>	2012-02-16 15:18:45 -0500
commit	9fb7a5af97d8c084c3af2566070d09eae0ab49fc (patch)
tree	3d2fb28eae6d4aaeadf3571503bca0cab8ee4d3c /libavcodec/ws-snd1.c
parent	51df7b232f19f85188cca30fce26eb3587126ab3 (diff)
download	ffmpeg-9fb7a5af97d8c084c3af2566070d09eae0ab49fc.tar.gz