[libav-commits] nsvdec: Fix use of uninitialized streams.

Michael Niedermayer git at libav.org
Sat Apr 21 18:36:49 CEST 2012


Module: libav
Branch: release/0.5
Commit: bde4b660637c9f08eef51697c54417037a9eeb2f

Author:    Michael Niedermayer <michaelni at gmx.at>
Committer: Reinhard Tartler <siretart at tauware.de>
Date:      Tue Jan 24 22:20:26 2012 +0100

nsvdec: Fix use of uninitialized streams.

Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b)

Signed-off-by: Alex Converse <alex.converse at gmail.com>
(cherry picked from commit 6a89b41d9780325ba6d89a37f2aeb925aa68e6a3)
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
(cherry picked from commit 65beb8c1173906b0541442713cb29e8ba44c47ef)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>
(cherry picked from commit 1edf848a81464afd514afbbbcb97b471d334e14a)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

---

 libavformat/nsvdec.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c
index 719337c..d592617 100644
--- a/libavformat/nsvdec.c
+++ b/libavformat/nsvdec.c
@@ -586,12 +586,12 @@ null_chunk_retry:
     }
 
     /* map back streams to v,a */
-    if (s->streams[0])
+    if (s->nb_streams > 0)
         st[s->streams[0]->id] = s->streams[0];
-    if (s->streams[1])
+    if (s->nb_streams > 1)
         st[s->streams[1]->id] = s->streams[1];
 
-    if (vsize/* && st[NSV_ST_VIDEO]*/) {
+    if (vsize && st[NSV_ST_VIDEO]) {
         nst = st[NSV_ST_VIDEO]->priv_data;
         pkt = &nsv->ahead[NSV_ST_VIDEO];
         av_get_packet(pb, pkt, vsize);
@@ -606,7 +606,7 @@ null_chunk_retry:
     if(st[NSV_ST_VIDEO])
         ((NSVStream*)st[NSV_ST_VIDEO]->priv_data)->frame_offset++;
 
-    if (asize/*st[NSV_ST_AUDIO]*/) {
+    if (asize && st[NSV_ST_AUDIO]) {
         nst = st[NSV_ST_AUDIO]->priv_data;
         pkt = &nsv->ahead[NSV_ST_AUDIO];
         /* read raw audio specific header on the first audio chunk... */



More information about the libav-commits mailing list