[libav-commits] wmalosslessdec: increase channel_coeffs/residues size

Anton Khirnov Sat, 29 Sep 2012 01:33:57 -0700

Module: libav
Branch: master
Commit: 065b3a1cfa3f23aedf76244b3f3883ba913173ff


Author:    Anton Khirnov <[email protected]>
Committer: Anton Khirnov <[email protected]>
Date:      Sat Sep 29 08:40:42 2012 +0200

wmalosslessdec: increase channel_coeffs/residues size

Fixes CVE-2012-2792

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

---

 libavcodec/wmalosslessdec.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c
index 8300b17..c67a392 100644
--- a/libavcodec/wmalosslessdec.c
+++ b/libavcodec/wmalosslessdec.c
@@ -23,6 +23,8 @@
  */
 
 #include "libavutil/attributes.h"
+#include "libavutil/avassert.h"
+
 #include "avcodec.h"
 #include "internal.h"
 #include "get_bits.h"
@@ -158,14 +160,14 @@ typedef struct WmallDecodeCtx {
 
     int ave_sum[2];
 
-    int channel_residues[2][2048];
+    int channel_residues[2][WMALL_BLOCK_MAX_SIZE];
 
     int lpc_coefs[2][40];
     int lpc_order;
     int lpc_scaling;
     int lpc_intbits;
 
-    int channel_coeffs[2][2048];
+    int channel_coeffs[2][WMALL_BLOCK_MAX_SIZE];
 } WmallDecodeCtx;
 
 
@@ -215,6 +217,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
     /* get frame len */
     s->samples_per_frame = 1 << ff_wma_get_frame_len_bits(avctx->sample_rate,
                                                           3, s->decode_flags);
+    av_assert0(s->samples_per_frame <= WMALL_BLOCK_MAX_SIZE);
 
     /* init previous block len */
     for (i = 0; i < avctx->channels; i++)

_______________________________________________
libav-commits mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-commits

[libav-commits] wmalosslessdec: increase channel_coeffs/residues size

Reply via email to