[libav-stable] Fwd: [libav-commits] alsdec: check opt_order.

Justin Ruggles justin.ruggles at gmail.com
Fri Sep 21 19:19:31 CEST 2012


forgot to CC in commit message

-------- Original Message --------
Subject: [libav-commits] alsdec: check opt_order.
Date: Mon, 17 Sep 2012 20:54:15 +0200 (CEST)
From: Michael Niedermayer  <git at libav.org>
Reply-To: libav-devel at libav.org
To: libav-commits at libav.org

Module: libav
Branch: master
Commit: 9853e41aa0a6cfff629ff7009685eb8bf8d64e7f

Author:    Michael Niedermayer <michaelni at gmx.at>
Committer: Justin Ruggles <justin.ruggles at gmail.com>
Date:      Sat Mar 24 01:39:13 2012 +0100

alsdec: check opt_order.

Fixes out of array write in quant_cof.
Also make sure no invalid opt_order stays in the context.

Fixes CVE-2012-2775

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles at gmail.com>

---

 libavcodec/alsdec.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index ef12253..defe3c4 100644
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -668,6 +668,11 @@ static int read_var_block_data(ALSDecContext *ctx,
ALSBlockData *bd)
             int opt_order_length =
av_ceil_log2(av_clip((bd->block_length >> 3) - 1,
                                                 2, sconf->max_order + 1));
             *bd->opt_order       = get_bits(gb, opt_order_length);
+            if (*bd->opt_order > sconf->max_order) {
+                *bd->opt_order = sconf->max_order;
+                av_log(avctx, AV_LOG_ERROR, "Predictor order too
large!\n");
+                return AVERROR_INVALIDDATA;
+            }
         } else {
             *bd->opt_order = sconf->max_order;
         }

_______________________________________________
libav-commits mailing list
libav-commits at libav.org
https://lists.libav.org/mailman/listinfo/libav-commits



More information about the libav-stable mailing list