aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat/dv.c
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2012-01-24 18:48:23 +0100
committerMichael Niedermayer <michaelni@gmx.at>2012-01-25 16:41:26 +0100
commitf9de136b17bc72ff02f39c6a53756d72bbc4bd15 (patch)
tree10d8c199019aff495728a527d4b9b33d83b25261 /libavformat/dv.c
parent4a68949cd841b077e20523bda1196a7558554dd9 (diff)
downloadffmpeg-f9de136b17bc72ff02f39c6a53756d72bbc4bd15.tar.gz
dv: check stype
Fixes part1 of CVE-2011-3929 Possibly fixes part of CVE-2011-3936 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavformat/dv.c')
-rw-r--r--libavformat/dv.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/libavformat/dv.c b/libavformat/dv.c
index d99dee3782..062c56787f 100644
--- a/libavformat/dv.c
+++ b/libavformat/dv.c
@@ -207,6 +207,12 @@ static int dv_extract_audio_info(DVDemuxContext* c, uint8_t* frame)
stype = (as_pack[3] & 0x1f); /* 0 - 2CH, 2 - 4CH, 3 - 8CH */
quant = as_pack[4] & 0x07; /* 0 - 16bit linear, 1 - 12bit nonlinear */
+ if (stype > 3) {
+ av_log(c->fctx, AV_LOG_ERROR, "stype %d is invalid\n", stype);
+ c->ach = 0;
+ return 0;
+ }
+
/* note: ach counts PAIRS of channels (i.e. stereo channels) */
ach = ((int[4]){ 1, 0, 2, 4})[stype];
if (ach == 1 && quant && freq == 2)