[FFmpeg-cvslog] dpcm: ignore extra unpaired bytes in stereo streams.
Alex Converse
git at videolan.org
Mon Jun 4 12:34:51 CEST 2012
ffmpeg | branch: release/0.5 | Alex Converse <alex.converse at gmail.com> | Fri Feb 17 14:13:40 2012 -0800| [7944a87ba8a6b1faf167d5b116dfa55233e0a697] | committer: Reinhard Tartler
dpcm: ignore extra unpaired bytes in stereo streams.
Fixes: CVE-2011-3951
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ce7aee9b733134649a6ce2fa743e51733f33e67e)
(cherry picked from commit eaeaeb265fe46e1d81452960de918227541873b4)
Conflicts:
libavcodec/dpcm.c
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
(cherry picked from commit 1ce9c93198fc997e8f23934a78e2937af670e4e9)
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
(cherry picked from commit 41f1f146c9e29dde63e293078819474c9b8111a1)
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7944a87ba8a6b1faf167d5b116dfa55233e0a697
---
libavcodec/dpcm.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c
index daa21cd..a364864 100644
--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -167,6 +167,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
int in, out = 0;
int predictor[2];
int channel_number = 0;
+ int stereo = s->channels - 1;
short *output_samples = data;
int shift[2];
unsigned char byte;
@@ -175,6 +176,9 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
if (!buf_size)
return 0;
+ if (stereo && (buf_size & 1))
+ buf_size--;
+
// almost every DPCM variant expands one byte of data into two
if(*data_size/2 < buf_size)
return -1;
More information about the ffmpeg-cvslog
mailing list