On Tue, Sep 04, 2012 at 02:32:19PM -0400, Justin Ruggles wrote: > From: Michael Niedermayer <[email protected]> > > Fixes out of array write in quant_cof > > Fixes CVE-2012-2775 > > Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind > Signed-off-by: Michael Niedermayer <[email protected]> > Signed-off-by: Justin Ruggles <[email protected]> > --- > libavcodec/alsdec.c | 4 ++++ > 1 files changed, 4 insertions(+), 0 deletions(-) > > diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c > index ef12253..dce248d 100644 > --- a/libavcodec/alsdec.c > +++ b/libavcodec/alsdec.c > @@ -668,6 +668,10 @@ static int read_var_block_data(ALSDecContext *ctx, > ALSBlockData *bd) > int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> > 3) - 1, > 2, sconf->max_order + 1)); > *bd->opt_order = get_bits(gb, opt_order_length); > + if (*bd->opt_order > sconf->max_order) { > + av_log(avctx, AV_LOG_ERROR, "Predictor order too large!\n"); > + return AVERROR_INVALIDDATA; > + } > } else { > *bd->opt_order = sconf->max_order; > } > --
LGTM _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
