[libav-devel] [PATCH 6/8] alsdec: fix number of decoded samples in first sub-block in BGMC mode.

Tue, 04 Sep 2012 11:32:34 -0700 

From: Thilo Borgmann <[email protected]>

Fixes CVE-2012-2790

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <[email protected]>
Signed-off-by: Justin Ruggles <[email protected]>
---
 libavcodec/alsdec.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index 3990b50..b7b841a 100644
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -770,7 +770,7 @@ static int read_var_block_data(ALSDecContext *ctx, 
ALSBlockData *bd)
         int          delta[8];
         unsigned int k    [8];
         unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 
5);
-        unsigned int i;
+        unsigned int i = start;
 
         // read most significant bits
         unsigned int high;
@@ -781,14 +781,14 @@ static int read_var_block_data(ALSDecContext *ctx, 
ALSBlockData *bd)
 
         current_res = bd->raw_samples + start;
 
-        for (sb = 0; sb < sub_blocks; sb++) {
+        for (sb = 0; sb < sub_blocks; sb++, i = 0) {
             k    [sb] = s[sb] > b ? s[sb] - b : 0;
             delta[sb] = 5 - s[sb] + k[sb];
 
-            ff_bgmc_decode(gb, sb_length, current_res,
+            ff_bgmc_decode(gb, sb_length - i, current_res,
                         delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, 
ctx->bgmc_lut_status);
 
-            current_res += sb_length;
+            current_res += sb_length - i;
         }
 
         ff_bgmc_decode_end(gb);
-- 
1.7.1

_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to