[libav-commits] nsvdec: Fix use of uninitialized streams.

Sun, 01 Apr 2012 10:05:11 -0700 

Module: libav
Branch: release/0.7
Commit: 65beb8c1173906b0541442713cb29e8ba44c47ef

Author:    Michael Niedermayer <[email protected]>
Committer: Reinhard Tartler <[email protected]>
Date:      Tue Jan 24 22:20:26 2012 +0100

nsvdec: Fix use of uninitialized streams.

Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b)

Signed-off-by: Alex Converse <[email protected]>
(cherry picked from commit 6a89b41d9780325ba6d89a37f2aeb925aa68e6a3)
Signed-off-by: Reinhard Tartler <[email protected]>

---

 libavformat/nsvdec.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c
index 9adb2f4..c37300f 100644
--- a/libavformat/nsvdec.c
+++ b/libavformat/nsvdec.c
@@ -596,12 +596,12 @@ null_chunk_retry:
     }
 
     /* map back streams to v,a */
-    if (s->streams[0])
+    if (s->nb_streams > 0)
         st[s->streams[0]->id] = s->streams[0];
-    if (s->streams[1])
+    if (s->nb_streams > 1)
         st[s->streams[1]->id] = s->streams[1];
 
-    if (vsize/* && st[NSV_ST_VIDEO]*/) {
+    if (vsize && st[NSV_ST_VIDEO]) {
         nst = st[NSV_ST_VIDEO]->priv_data;
         pkt = &nsv->ahead[NSV_ST_VIDEO];
         av_get_packet(pb, pkt, vsize);
@@ -614,7 +614,7 @@ null_chunk_retry:
     if(st[NSV_ST_VIDEO])
         ((NSVStream*)st[NSV_ST_VIDEO]->priv_data)->frame_offset++;
 
-    if (asize/*st[NSV_ST_AUDIO]*/) {
+    if (asize && st[NSV_ST_AUDIO]) {
         nst = st[NSV_ST_AUDIO]->priv_data;
         pkt = &nsv->ahead[NSV_ST_AUDIO];
         /* read raw audio specific header on the first audio chunk... */

_______________________________________________
libav-commits mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-commits

Reply via email to