Browse code
dv: check stype
Fixes part1 of CVE-2011-3929
Possibly fixes part of CVE-2011-3936
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2012/01/25 02:48:23Showing 1 changed files
| ... | ... |
@@ -207,6 +207,12 @@ static int dv_extract_audio_info(DVDemuxContext* c, uint8_t* frame) |
| 207 | 207 |
stype = (as_pack[3] & 0x1f); /* 0 - 2CH, 2 - 4CH, 3 - 8CH */ |
| 208 | 208 |
quant = as_pack[4] & 0x07; /* 0 - 16bit linear, 1 - 12bit nonlinear */ |
| 209 | 209 |
|
| 210 |
+ if (stype > 3) {
|
|
| 211 |
+ av_log(c->fctx, AV_LOG_ERROR, "stype %d is invalid\n", stype); |
|
| 212 |
+ c->ach = 0; |
|
| 213 |
+ return 0; |
|
| 214 |
+ } |
|
| 215 |
+ |
|
| 210 | 216 |
/* note: ach counts PAIRS of channels (i.e. stereo channels) */ |
| 211 | 217 |
ach = ((int[4]){ 1, 0, 2, 4})[stype];
|
| 212 | 218 |
if (ach == 1 && quant && freq == 2) |