On Thu, Feb 16, 2012 at 12:52:20PM -0500, Justin Ruggles wrote: > From: Michael Niedermayer <[email protected]> > > This makes the check that avoids overwrite of the samples array actually > work properly. > > fixes CVE-2012-0848 > > Signed-off-by: Michael Niedermayer <[email protected]> > Signed-off-by: Justin Ruggles <[email protected]> > --- > libavcodec/ws-snd1.c | 4 ++-- > 1 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c > index b2d086e..e8e4d15 100644 > --- a/libavcodec/ws-snd1.c > +++ b/libavcodec/ws-snd1.c > @@ -112,8 +112,8 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, > void *data, > > /* make sure we don't write past the output buffer */ > switch (code) { > - case 0: smp = 4; break; > - case 1: smp = 2; break; > + case 0: smp = 4 * (count + 1); break; > + case 1: smp = 2 * (count + 1); break; > case 2: smp = (count & 0x20) ? 1 : count + 1; break; > default: smp = count + 1; break; > } > --
probably OK _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
