[FFmpeg-cvslog] dpcm: ignore extra unpaired bytes in stereo streams.

Mon Jun 4 12:34:51 CEST 2012

ffmpeg | branch: release/0.5 | Alex Converse <alex.converse at gmail.com> | Fri Feb 17 14:13:40 2012 -0800| [7944a87ba8a6b1faf167d5b116dfa55233e0a697] | committer: Reinhard Tartler

dpcm: ignore extra unpaired bytes in stereo streams.

Fixes: CVE-2011-3951

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ce7aee9b733134649a6ce2fa743e51733f33e67e)
(cherry picked from commit eaeaeb265fe46e1d81452960de918227541873b4)

Conflicts:

	libavcodec/dpcm.c

Signed-off-by: Reinhard Tartler <siretart at tauware.de>
(cherry picked from commit 1ce9c93198fc997e8f23934a78e2937af670e4e9)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>
(cherry picked from commit 41f1f146c9e29dde63e293078819474c9b8111a1)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7944a87ba8a6b1faf167d5b116dfa55233e0a697
---

 libavcodec/dpcm.c |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c
index daa21cd..a364864 100644
--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -167,6 +167,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
     int in, out = 0;
     int predictor[2];
     int channel_number = 0;
+    int stereo = s->channels - 1;
     short *output_samples = data;
     int shift[2];
     unsigned char byte;
@@ -175,6 +176,9 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
     if (!buf_size)
         return 0;
 
+    if (stereo && (buf_size & 1))
+        buf_size--;
+
     // almost every DPCM variant expands one byte of data into two
     if(*data_size/2 < buf_size)
         return -1;

