[FFmpeg-cvslog] wmalosslessdec: Reset put bit buffer when num_saved_bits is reset.
Michael Niedermayer
git at videolan.org
Sun Sep 30 14:21:46 CEST 2012
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Sat Apr 14 16:32:56 2012 +0200| [d65d8347314b645051e336aed141aaf32a6c0d02] | committer: Anton Khirnov
wmalosslessdec: Reset put bit buffer when num_saved_bits is reset.
Fixes CVE-2012-2799
CC:libav-stable at libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton at khirnov.net>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d65d8347314b645051e336aed141aaf32a6c0d02
---
libavcodec/wmalosslessdec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c
index b97f397..df02528 100644
--- a/libavcodec/wmalosslessdec.c
+++ b/libavcodec/wmalosslessdec.c
@@ -1230,6 +1230,7 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr,
* to decode incomplete frames in the s->len_prefix == 0 case. */
s->num_saved_bits = 0;
s->packet_loss = 0;
+ init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE);
}
} else {
@@ -1282,6 +1283,7 @@ static void flush(AVCodecContext *avctx)
s->next_packet_start = 0;
s->cdlms[0][0].order = 0;
s->frame.nb_samples = 0;
+ init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE);
}
AVCodec ff_wmalossless_decoder = {
More information about the ffmpeg-cvslog
mailing list