Browse code
wmapro: check num_vec_coeffs against the actual available buffer
Prevent yet another buffer overwrite.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 38229362529ed1619d8ebcc81ecde85b23b45895)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Luca Barbato authored on 2013/06/28 12:23:21Showing 1 changed files
| ... | ... |
@@ -1122,11 +1122,12 @@ static int decode_subframe(WMAProDecodeCtx *s) |
| 1122 | 1122 |
cur_subwoofer_cutoff = s->subwoofer_cutoffs[s->table_idx]; |
| 1123 | 1123 |
|
| 1124 | 1124 |
/** configure the decoder for the current subframe */ |
| 1125 |
+ offset += s->samples_per_frame >> 1; |
|
| 1126 |
+ |
|
| 1125 | 1127 |
for (i = 0; i < s->channels_for_cur_subframe; i++) {
|
| 1126 | 1128 |
int c = s->channel_indexes_for_cur_subframe[i]; |
| 1127 | 1129 |
|
| 1128 |
- s->channel[c].coeffs = &s->channel[c].out[(s->samples_per_frame >> 1) |
|
| 1129 |
- + offset]; |
|
| 1130 |
+ s->channel[c].coeffs = &s->channel[c].out[offset]; |
|
| 1130 | 1131 |
} |
| 1131 | 1132 |
|
| 1132 | 1133 |
s->subframe_len = subframe_len; |
| ... | ... |
@@ -1177,7 +1178,7 @@ static int decode_subframe(WMAProDecodeCtx *s) |
| 1177 | 1177 |
for (i = 0; i < s->channels_for_cur_subframe; i++) {
|
| 1178 | 1178 |
int c = s->channel_indexes_for_cur_subframe[i]; |
| 1179 | 1179 |
int num_vec_coeffs = get_bits(&s->gb, num_bits) << 2; |
| 1180 |
- if (num_vec_coeffs > WMAPRO_BLOCK_MAX_SIZE) {
|
|
| 1180 |
+ if (num_vec_coeffs + offset > FF_ARRAY_ELEMS(s->channel[c].out)) {
|
|
| 1181 | 1181 |
av_log(s->avctx, AV_LOG_ERROR, "num_vec_coeffs %d is too large\n", num_vec_coeffs); |
| 1182 | 1182 |
return AVERROR_INVALIDDATA; |
| 1183 | 1183 |
} |