[SCM] libav/experimental: prevent infinite loop and memcpy of negative amounts fixes issue194
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Sun Jun 30 16:08:09 UTC 2013
The following commit has been merged in the experimental branch:
commit 4d570f94ba055d75f469aacadfccf0bdffcbae6c
Author: Michael Niedermayer <michaelni at gmx.at>
Date: Sat Oct 13 12:25:31 2007 +0000
prevent infinite loop and memcpy of negative amounts
fixes issue194
Originally committed as revision 10726 to svn://svn.ffmpeg.org/ffmpeg/trunk
diff --git a/libavcodec/aac_parser.c b/libavcodec/aac_parser.c
index d6cf269..ac80693 100644
--- a/libavcodec/aac_parser.c
+++ b/libavcodec/aac_parser.c
@@ -67,6 +67,9 @@ static int aac_sync(const uint8_t *buf, int *channels, int *sample_rate,
skip_bits1(&bits); /* copyright_identification_bit */
skip_bits1(&bits); /* copyright_identification_start */
size = get_bits(&bits, 13); /* aac_frame_length */
+ if(size < AAC_HEADER_SIZE)
+ return 0;
+
skip_bits(&bits, 11); /* adts_buffer_fullness */
rdb = get_bits(&bits, 2); /* number_of_raw_data_blocks_in_frame */
diff --git a/libavcodec/ac3_parser.c b/libavcodec/ac3_parser.c
index d97c86e..034a0bd 100644
--- a/libavcodec/ac3_parser.c
+++ b/libavcodec/ac3_parser.c
@@ -114,6 +114,9 @@ static int ac3_sync(const uint8_t *buf, int *channels, int *sample_rate,
return 0; /* Currently don't support additional streams */
frmsiz = get_bits(&bits, 11) + 1;
+ if(frmsiz*2 < AC3_HEADER_SIZE)
+ return 0;
+
fscod = get_bits(&bits, 2);
if (fscod == 3) {
fscod2 = get_bits(&bits, 2);
--
Libav/FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list