From: Michael Niedermayer <[email protected]> Fixes out of array access Fixes: ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk
Bug-Id: CVE-2015-8365 CC: [email protected] Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit 4a9af07a49295e014b059c1ab624c40345af5892) Signed-off-by: Diego Biurrun <[email protected]> --- Fixed error message wording and error check placement. libavcodec/smacker.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index c4b4bc7..d42347c 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -636,6 +636,11 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, av_log(avctx, AV_LOG_ERROR, "sample format mismatch\n"); return AVERROR(EINVAL); } + if (unp_size % (avctx->channels * (bits + 1))) { + av_log(avctx, AV_LOG_ERROR, + "The buffer does not contain an integer number of samples\n"); + return AVERROR(EINVAL); + } /* get output buffer */ frame->nb_samples = unp_size / (avctx->channels * (bits + 1)); -- 2.1.4 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
