[FFmpeg-cvslog] dpcm: ignore extra unpaired bytes in stereo streams.

Alex Converse git at videolan.org
Mon Jun 4 13:13:42 CEST 2012


ffmpeg | branch: release/0.7 | Alex Converse <alex.converse at gmail.com> | Fri Feb 17 14:13:40 2012 -0800| [654b24f68a803fbc85764899a07294483dccf54f] | committer: Reinhard Tartler

dpcm: ignore extra unpaired bytes in stereo streams.

Fixes: CVE-2011-3951

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ce7aee9b733134649a6ce2fa743e51733f33e67e)
(cherry picked from commit eaeaeb265fe46e1d81452960de918227541873b4)

Conflicts:

	libavcodec/dpcm.c

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=654b24f68a803fbc85764899a07294483dccf54f
---

 libavcodec/dpcm.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c
index af5bf8a..9cf9248 100644
--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -169,6 +169,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
     int in, out = 0;
     int predictor[2];
     int channel_number = 0;
+    int stereo = s->channels - 1;
     short *output_samples = data;
     int shift[2];
     unsigned char byte;
@@ -177,6 +178,9 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
     if (!buf_size)
         return 0;
 
+    if (stereo && (buf_size & 1))
+        buf_size--;
+
     // almost every DPCM variant expands one byte of data into two
     if(*data_size/2 < buf_size)
         return -1;
@@ -295,7 +299,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
     }
 
     *data_size = out * sizeof(short);
-    return buf_size;
+    return avpkt->size;
 }
 
 #define DPCM_DECODER(id, name, long_name_)      \



More information about the ffmpeg-cvslog mailing list