[FFmpeg-cvslog] r26368 - trunk/libavcodec/vorbis_dec.c
michael
subversion
Sat Jan 15 18:10:49 CET 2011
Author: michael
Date: Sat Jan 15 18:10:49 2011
New Revision: 26368
Log:
Second hunk from secrity fix from google.
The hunk is not fully understood but it just makes a check tighter so its
safer for us to apply until it is fully understood.
Might fix issue 2550 (and Chrome issue 68115 and unknown CERT issues).
Our bugtracker issue though should stay open until this has been fully
investiagted
Patch by Frank Barchard, fbarchard at google
Modified:
trunk/libavcodec/vorbis_dec.c
Modified: trunk/libavcodec/vorbis_dec.c
==============================================================================
--- trunk/libavcodec/vorbis_dec.c Sat Jan 15 17:39:52 2011 (r26367)
+++ trunk/libavcodec/vorbis_dec.c Sat Jan 15 18:10:49 2011 (r26368)
@@ -661,7 +661,7 @@ static int vorbis_parse_setup_hdr_residu
res_setup->partition_size = get_bits(gb, 24) + 1;
/* Validations to prevent a buffer overflow later. */
if (res_setup->begin>res_setup->end ||
- res_setup->end > vc->avccontext->channels * vc->blocksize[1] / (res_setup->type == 2 ? 1 : 2) ||
+ res_setup->end > vc->avccontext->channels * vc->blocksize[1] / 2 ||
(res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) {
av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %"PRIdFAST16", %"PRIdFAST32", %"PRIdFAST32", %u, %"PRIdFAST32"\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1] / 2);
return -1;
More information about the ffmpeg-cvslog
mailing list