On 01/26/2012 07:21 PM, Alex Converse wrote: > From: Michael Niedermayer <[email protected]> > > dv: check stype > > Fixes part1 of CVE-2011-3929 > Possibly fixes part of CVE-2011-3936 > > Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind > Reviewed-by: Roman Shaposhnik <[email protected]> > Signed-off-by: Michael Niedermayer <[email protected]> > Signed-off-by: Alex Converse <[email protected]> > --- > libavformat/dv.c | 6 ++++++ > 1 files changed, 6 insertions(+), 0 deletions(-) > > diff --git a/libavformat/dv.c b/libavformat/dv.c > index 805f252..4896b0a 100644 > --- a/libavformat/dv.c > +++ b/libavformat/dv.c > @@ -204,6 +204,12 @@ static int dv_extract_audio_info(DVDemuxContext* c, > uint8_t* frame) > stype = (as_pack[3] & 0x1f); /* 0 - 2CH, 2 - 4CH, 3 - 8CH */ > quant = as_pack[4] & 0x07; /* 0 - 16bit linear, 1 - 12bit > nonlinear */ > > + if (stype > 3) { > + av_log(c->fctx, AV_LOG_ERROR, "stype %d is invalid\n", stype); > + c->ach = 0; > + return 0; > + } > + > /* note: ach counts PAIRS of channels (i.e. stereo channels) */ > ach = ((int[4]){ 1, 0, 2, 4})[stype]; > if (ach == 1 && quant && freq == 2)
lgtm. -Justin _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
