[SCM] libav/experimental: Fix crash in MLP decoder due to integer overflow. Probably only DoS, init_get_bits sets buffer to NULL, thus causing a NULL-dereference directly after.
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Sun Jun 30 16:58:31 UTC 2013
The following commit has been merged in the experimental branch:
commit 0b882b4009c9fbe24020c2fe83b21ee43d0784ea
Author: Reimar Döffinger <Reimar.Doeffinger at gmx.de>
Date: Sun Jan 24 18:07:29 2010 +0000
Fix crash in MLP decoder due to integer overflow.
Probably only DoS, init_get_bits sets buffer to NULL, thus causing a
NULL-dereference directly after.
Originally committed as revision 21426 to svn://svn.ffmpeg.org/ffmpeg/trunk
diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c
index 8060ebe..bfde83c 100644
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@@ -959,7 +959,7 @@ static int read_access_unit(AVCodecContext *avctx, void* data, int *data_size,
length = (AV_RB16(buf) & 0xfff) * 2;
- if (length > buf_size)
+ if (length < 4 || length > buf_size)
return -1;
init_get_bits(&gb, (buf + 4), (length - 4) * 8);
--
Libav/FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list