Module: libav Branch: master Commit: 9853e41aa0a6cfff629ff7009685eb8bf8d64e7f
Author: Michael Niedermayer <[email protected]> Committer: Justin Ruggles <[email protected]> Date: Sat Mar 24 01:39:13 2012 +0100 alsdec: check opt_order. Fixes out of array write in quant_cof. Also make sure no invalid opt_order stays in the context. Fixes CVE-2012-2775 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <[email protected]> Signed-off-by: Justin Ruggles <[email protected]> --- libavcodec/alsdec.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index ef12253..defe3c4 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -668,6 +668,11 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1, 2, sconf->max_order + 1)); *bd->opt_order = get_bits(gb, opt_order_length); + if (*bd->opt_order > sconf->max_order) { + *bd->opt_order = sconf->max_order; + av_log(avctx, AV_LOG_ERROR, "Predictor order too large!\n"); + return AVERROR_INVALIDDATA; + } } else { *bd->opt_order = sconf->max_order; } _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
