diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-03-24 01:39:13 +0100 |
|---|---|---|
| committer | Justin Ruggles <justin.ruggles@gmail.com> | 2012-09-17 14:17:26 -0400 |
| commit | 9853e41aa0a6cfff629ff7009685eb8bf8d64e7f (patch) | |
| tree | 7d4f0d87d5f5ee84d24c7065c790ee5cdede0b30 /libavcodec/alsdec.c | |
| parent | 23aae62c2cb4504a09ceb8cd0cabc1c8b260f521 (diff) | |
| download | ffmpeg-9853e41aa0a6cfff629ff7009685eb8bf8d64e7f.tar.gz | |
alsdec: check opt_order.
Fixes out of array write in quant_cof.
Also make sure no invalid opt_order stays in the context.
Fixes CVE-2012-2775
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
Diffstat (limited to 'libavcodec/alsdec.c')
| -rw-r--r-- | libavcodec/alsdec.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index ef12253271..defe3c4850 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -668,6 +668,11 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1, 2, sconf->max_order + 1)); *bd->opt_order = get_bits(gb, opt_order_length); + if (*bd->opt_order > sconf->max_order) { + *bd->opt_order = sconf->max_order; + av_log(avctx, AV_LOG_ERROR, "Predictor order too large!\n"); + return AVERROR_INVALIDDATA; + } } else { *bd->opt_order = sconf->max_order; } |