Module: libav Branch: release/0.8 Commit: d0e53ecff736fd23c985c184051a7ae44529e448
Author: Alex Converse <[email protected]> Committer: Alex Converse <[email protected]> Date: Wed Jan 25 15:46:14 2012 -0800 mp3dec: Fix a heap-buffer-overflow In some cases, what is left to read from ptr is smaller than EXTRABYTES. Based on a patch by Thierry Foucu <[email protected]>. Signed-off-by: Alex Converse <[email protected]> (cherry picked from commit f372ce119bd2458fa0b4ddfb2af3a36621df99f7) --- libavcodec/mpegaudiodec.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c index 860c0c3..04c1d98 100644 --- a/libavcodec/mpegaudiodec.c +++ b/libavcodec/mpegaudiodec.c @@ -1378,16 +1378,17 @@ static int mp_decode_layer3(MPADecodeContext *s) if (!s->adu_mode) { int skip; const uint8_t *ptr = s->gb.buffer + (get_bits_count(&s->gb)>>3); + int extrasize = av_clip(get_bits_left(&s->gb) >> 3, 0, EXTRABYTES); assert((get_bits_count(&s->gb) & 7) == 0); /* now we get bits from the main_data_begin offset */ av_dlog(s->avctx, "seekback: %d\n", main_data_begin); //av_log(NULL, AV_LOG_ERROR, "backstep:%d, lastbuf:%d\n", main_data_begin, s->last_buf_size); - memcpy(s->last_buf + s->last_buf_size, ptr, EXTRABYTES); + memcpy(s->last_buf + s->last_buf_size, ptr, extrasize); s->in_gb = s->gb; init_get_bits(&s->gb, s->last_buf, s->last_buf_size*8); #if !UNCHECKED_BITSTREAM_READER - s->gb.size_in_bits_plus8 += EXTRABYTES * 8; + s->gb.size_in_bits_plus8 += extrasize * 8; #endif s->last_buf_size <<= 3; for (gr = 0; gr < nb_granules && (s->last_buf_size >> 3) < main_data_begin; gr++) { _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
