Module: libav Branch: release/0.7 Commit: bb737d381f6d6413899a0697f426fb082eac66fc
Author: Michael Niedermayer <[email protected]> Committer: Reinhard Tartler <[email protected]> Date: Tue Jan 24 17:48:23 2012 +0100 dv: check stype dv: check stype Fixes part1 of CVE-2011-3929 Possibly fixes part of CVE-2011-3936 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Roman Shaposhnik <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> Signed-off-by: Alex Converse <[email protected]> (cherry picked from commit 635bcfccd439480003b74a665b5aa7c872c1ad6b) Signed-off-by: Reinhard Tartler <[email protected]> --- libavformat/dv.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/libavformat/dv.c b/libavformat/dv.c index 4b41e0a..fe6dac6 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -202,6 +202,12 @@ static int dv_extract_audio_info(DVDemuxContext* c, uint8_t* frame) stype = (as_pack[3] & 0x1f); /* 0 - 2CH, 2 - 4CH, 3 - 8CH */ quant = as_pack[4] & 0x07; /* 0 - 16bit linear, 1 - 12bit nonlinear */ + if (stype > 3) { + av_log(c->fctx, AV_LOG_ERROR, "stype %d is invalid\n", stype); + c->ach = 0; + return 0; + } + /* note: ach counts PAIRS of channels (i.e. stereo channels) */ ach = ((int[4]){ 1, 0, 2, 4})[stype]; if (ach == 1 && quant && freq == 2) _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
