[libav-commits] wmalosslessdec: Reset put bit buffer when num_saved_bits is reset.

Michael Niedermayer git at libav.org
Sat Sep 29 19:21:26 CEST 2012


Module: libav
Branch: master
Commit: d65d8347314b645051e336aed141aaf32a6c0d02

Author:    Michael Niedermayer <michaelni at gmx.at>
Committer: Anton Khirnov <anton at khirnov.net>
Date:      Sat Apr 14 16:32:56 2012 +0200

wmalosslessdec: Reset put bit buffer when num_saved_bits is reset.

Fixes CVE-2012-2799

CC:libav-stable at libav.org

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton at khirnov.net>

---

 libavcodec/wmalosslessdec.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c
index b97f397..df02528 100644
--- a/libavcodec/wmalosslessdec.c
+++ b/libavcodec/wmalosslessdec.c
@@ -1230,6 +1230,7 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr,
              * to decode incomplete frames in the s->len_prefix == 0 case. */
             s->num_saved_bits = 0;
             s->packet_loss    = 0;
+            init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE);
         }
 
     } else {
@@ -1282,6 +1283,7 @@ static void flush(AVCodecContext *avctx)
     s->next_packet_start = 0;
     s->cdlms[0][0].order = 0;
     s->frame.nb_samples  = 0;
+    init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE);
 }
 
 AVCodec ff_wmalossless_decoder = {



More information about the libav-commits mailing list