[FFmpeg-cvslog] *** GMX Spamverdacht *** Re: alsdec: check block length

Thilo Borgmann thilo.borgmann at mail.de
Sat Jan 18 11:15:39 CET 2014


Am 18.01.14 03:08, schrieb Michael Niedermayer:
> On Fri, Jan 17, 2014 at 10:18:24AM +0100, Thilo Borgmann wrote:
>> Am 16.01.14 21:43, schrieb Reinhard Tartler:
>>> ffmpeg | branch: release/0.10 | Reinhard Tartler <siretart at tauware.de> | Sun Dec  8 13:24:26 2013 -0500| [d4a24e43edd0c1a06d5dbf454448fde5b3d1d281] | committer: Reinhard Tartler
>>>
>>> alsdec: check block length
>>>
>>> Fix writing over the end
>>>
>>> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
>>> Addresses: CVE-2013-0845
>>> (cherry picked from commit 2a0fb7286d67c47e44aa76c237ede117b22af616)
>>>
>>> Signed-off-by: Reinhard Tartler <siretart at tauware.de>
>>> (cherry picked from commit 3f7d89034bfe50893927cc92ddcb95a2e9b4178d)
>>> Signed-off-by: Reinhard Tartler <siretart at tauware.de>
>>>
>>>> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d4a24e43edd0c1a06d5dbf454448fde5b3d1d281
>>> ---
>>>
>>>  libavcodec/alsdec.c |    5 +++++
>>>  1 file changed, 5 insertions(+)
>>>
>>> diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
>>> index b0369d7..7daa545 100644
>>> --- a/libavcodec/alsdec.c
>>> +++ b/libavcodec/alsdec.c
>>> @@ -1386,6 +1386,11 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
>>>  
>>>          for (b = 0; b < ctx->num_blocks; b++) {
>>>              bd.block_length = div_blocks[b];
>>> +            if (bd.block_length <= 0) {
>>> +                av_log(ctx->avctx, AV_LOG_WARNING,
>>> +                       "Invalid block length %d in channel data!\n", bd.block_length);
>>> +                continue;
>>> +            }
>>
>> Have you tested this? Does FATE complain?
> 
> fate showed no failures
> also the same code is in git master (originating from the same change
> from 2a0fb728)

Ah release 0.10, sorry, ok.

-Thilo




More information about the ffmpeg-cvslog mailing list