[FFmpeg-cvslog] Check rangebits to avoid a possible crash.
Frank Barchard
git
Tue Feb 15 17:03:05 CET 2011
ffmpeg | branch: release/0.5 | Frank Barchard <fbarchard at google.com> | Sun Feb 13 21:38:45 2011 +0100| [329e816ed7903cf078c52aecd32a3be3b5dabbee] | committer: Reinhard Tartler
Check rangebits to avoid a possible crash.
Fixes issue 2548 (and Chrome issue 68115 and unknown CERT issues).
Originally committed as revision 26365 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 13184036a6b1b1d4b61c91118c0896e9ad4634c3)
Addresses: CVE-2011-0480
Conflicts:
libavcodec/vorbis_dec.c
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=329e816ed7903cf078c52aecd32a3be3b5dabbee
---
libavcodec/vorbis_dec.c | 10 +++++++++-
1 files changed, 9 insertions(+), 1 deletions(-)
diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c
index 541a406..5b8b056 100644
--- a/libavcodec/vorbis_dec.c
+++ b/libavcodec/vorbis_dec.c
@@ -466,6 +466,7 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) {
if (floor_setup->floor_type==1) {
uint_fast8_t maximum_class=0;
uint_fast8_t rangebits;
+ uint_fast32_t rangemax;
uint_fast16_t floor1_values=2;
floor_setup->decode=vorbis_floor1_decode;
@@ -526,8 +527,15 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) {
rangebits=get_bits(gb, 4);
+ rangemax = (1 << rangebits);
+ if (rangemax > vc->blocksize[1] / 2) {
+ av_log(vc->avccontext, AV_LOG_ERROR,
+ "Floor value is too large for blocksize: %d (%d)\n",
+ rangemax, vc->blocksize[1] / 2);
+ return -1;
+ }
floor_setup->data.t1.list[0].x = 0;
- floor_setup->data.t1.list[1].x = (1<<rangebits);
+ floor_setup->data.t1.list[1].x = rangemax;
for(j=0;j<floor_setup->data.t1.partitions;++j) {
for(k=0;k<floor_setup->data.t1.class_dimensions[floor_setup->data.t1.partition_class[j]];++k,++floor1_values) {
More information about the ffmpeg-cvslog
mailing list