[libav-devel] [PATCH 1/2] smacker: Check that the data size is a multiple of a sample vector

Diego Biurrun Tue, 30 May 2017 09:15:13 -0700

From: Michael Niedermayer <mich...@niedermayer.cc>

Fixes out of array access
Fixes: 
ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk


Bug-Id: CVE-2015-8365
CC: libav-sta...@libav.org

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit 4a9af07a49295e014b059c1ab624c40345af5892)
Signed-off-by: Diego Biurrun <di...@biurrun.de>
---
 libavcodec/smacker.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index c4b4bc7..4111c3b 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -639,6 +639,10 @@ static int smka_decode_frame(AVCodecContext *avctx, void 
*data,
 
     /* get output buffer */
     frame->nb_samples = unp_size / (avctx->channels * (bits + 1));
+    if (unp_size % (avctx->channels * (bits + 1))) {
+        av_log(avctx, AV_LOG_ERROR, "unp_size %d is odd\n", unp_size);
+        return AVERROR(EINVAL);
+    }
     if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
-- 
2.1.4

_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel

[libav-devel] [PATCH 1/2] smacker: Check that the data size is a multiple of a sample vector

Reply via email to