On 08/12/13 19:25, Reinhard Tartler wrote:
> Fix writing over the end
>
> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> Addresses: CVE-2013-0845
Reported-by:
> ---
> libavcodec/alsdec.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
> index 782a1b8..f7dee7d 100644
> --- a/libavcodec/alsdec.c
> +++ b/libavcodec/alsdec.c
> @@ -1376,6 +1376,11 @@ static int read_frame_data(ALSDecContext *ctx,
> unsigned int ra_frame)
>
> for (b = 0; b < ctx->num_blocks; b++) {
> bd.block_length = div_blocks[b];
> + if (bd.block_length <= 0) {
> + av_log(ctx->avctx, AV_LOG_WARNING,
> + "Invalid block length %d in channel data!\n",
> bd.block_length);
> + continue;
> + }
>
> for (c = 0; c < avctx->channels; c++) {
> bd.const_block = ctx->const_block + c;
>
Patch ok to me.
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
