Hi, On Thu, Feb 16, 2012 at 9:56 AM, Justin Ruggles <[email protected]> wrote: > From: Michael Niedermayer <[email protected]> > > Add a check to avoid writing past the end of the channel_unit.components[] > array. > > Fixes CVE-2012-0853 > > Signed-off-by: Michael Niedermayer <[email protected]> > Signed-off-by: Justin Ruggles <[email protected]> > --- > libavcodec/atrac3.c | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c > index fd036e7..136b16c 100644 > --- a/libavcodec/atrac3.c > +++ b/libavcodec/atrac3.c > @@ -402,6 +402,8 @@ static int decodeTonalComponents (GetBitContext *gb, > tonal_component *pComponent > > for (k=0; k<coded_components; k++) { > sfIndx = get_bits(gb,6); > + if (component_count >= 64) > + return AVERROR_INVALIDDATA; > pComponent[component_count].pos = j * 64 + (get_bits(gb,6)); > max_coded_values = SAMPLES_PER_FRAME - > pComponent[component_count].pos; > coded_values = coded_values_per_component + 1; > -- > 1.7.1
OK. You can also add the component_count < 64 in the for(;..here..;) loop check, I don't think returning an error is absolutely necessary, but either way is OK. Ronald _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
