Module: ffmpeg Branch: release/0.5 Commit: 329e816ed7903cf078c52aecd32a3be3b5dabbee
Author: Frank Barchard <[email protected]> Date: Sun Feb 13 21:38:45 2011 +0100 Check rangebits to avoid a possible crash. Fixes issue 2548 (and Chrome issue 68115 and unknown CERT issues). Originally committed as revision 26365 to svn://svn.ffmpeg.org/ffmpeg/trunk (cherry picked from commit 13184036a6b1b1d4b61c91118c0896e9ad4634c3) Addresses: CVE-2011-0480 Conflicts: libavcodec/vorbis_dec.c --- libavcodec/vorbis_dec.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c index 541a406..5b8b056 100644 --- a/libavcodec/vorbis_dec.c +++ b/libavcodec/vorbis_dec.c @@ -466,6 +466,7 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) { if (floor_setup->floor_type==1) { uint_fast8_t maximum_class=0; uint_fast8_t rangebits; + uint_fast32_t rangemax; uint_fast16_t floor1_values=2; floor_setup->decode=vorbis_floor1_decode; @@ -526,8 +527,15 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) { rangebits=get_bits(gb, 4); + rangemax = (1 << rangebits); + if (rangemax > vc->blocksize[1] / 2) { + av_log(vc->avccontext, AV_LOG_ERROR, + "Floor value is too large for blocksize: %d (%d)\n", + rangemax, vc->blocksize[1] / 2); + return -1; + } floor_setup->data.t1.list[0].x = 0; - floor_setup->data.t1.list[1].x = (1<<rangebits); + floor_setup->data.t1.list[1].x = rangemax; for(j=0;j<floor_setup->data.t1.partitions;++j) { for(k=0;k<floor_setup->data.t1.class_dimensions[floor_setup->data.t1.partition_class[j]];++k,++floor1_values) { _______________________________________________ ffmpeg-commits mailing list [email protected] https://lists.mplayerhq.hu/mailman/listinfo/ffmpeg-commits
