Quoting Diego Biurrun (2017-05-30 18:14:08) > From: Michael Niedermayer <[email protected]> > > Fixes out of array access > Fixes: > ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk > > Bug-Id: CVE-2015-8365 > CC: [email protected] > > Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind > Signed-off-by: Michael Niedermayer <[email protected]> > (cherry picked from commit 4a9af07a49295e014b059c1ab624c40345af5892) > Signed-off-by: Diego Biurrun <[email protected]> > --- > libavcodec/smacker.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c > index c4b4bc7..4111c3b 100644 > --- a/libavcodec/smacker.c > +++ b/libavcodec/smacker.c > @@ -639,6 +639,10 @@ static int smka_decode_frame(AVCodecContext *avctx, void > *data, > > /* get output buffer */ > frame->nb_samples = unp_size / (avctx->channels * (bits + 1)); > + if (unp_size % (avctx->channels * (bits + 1))) { > + av_log(avctx, AV_LOG_ERROR, "unp_size %d is odd\n", unp_size); > + return AVERROR(EINVAL); > + }
The placement of the check is weird, it would make more sense among the other checks immediately above. -- Anton Khirnov _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
