From: Michael Niedermayer <[email protected]> This makes the check that avoids overwrite of the samples array actually work properly.
fixes CVE-2012-0848 Signed-off-by: Michael Niedermayer <[email protected]> Signed-off-by: Justin Ruggles <[email protected]> --- libavcodec/ws-snd1.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c index b2d086e..e8e4d15 100644 --- a/libavcodec/ws-snd1.c +++ b/libavcodec/ws-snd1.c @@ -112,8 +112,8 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, void *data, /* make sure we don't write past the output buffer */ switch (code) { - case 0: smp = 4; break; - case 1: smp = 2; break; + case 0: smp = 4 * (count + 1); break; + case 1: smp = 2 * (count + 1); break; case 2: smp = (count & 0x20) ? 1 : count + 1; break; default: smp = count + 1; break; } -- 1.7.1 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
