[FFmpeg-cvslog] ws_snd1: Fix wrong samples count and crash.

Mon Apr 2 01:45:30 CEST 2012

ffmpeg | branch: release/0.8 | Michael Niedermayer <michaelni at gmx.at> | Sun Dec 25 00:10:27 2011 +0100| [e676bbb8cfb7401cfc189a88c61e7e7c22557fa7] | committer: Reinhard Tartler

ws_snd1: Fix wrong samples count and crash.

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 9fb7a5af97d8c084c3af2566070d09eae0ab49fc)

Addresses CVE-2012-0848

Reviewed-by: Justin Ruggles <justin.ruggles at gmail.com>
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
(cherry picked from commit 697a45d861b7cd6a96718383a44f41348487f844)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e676bbb8cfb7401cfc189a88c61e7e7c22557fa7
---

 libavcodec/ws-snd1.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c
index 06bd18c..e17c84c 100644
--- a/libavcodec/ws-snd1.c
+++ b/libavcodec/ws-snd1.c
@@ -95,8 +95,8 @@ static int ws_snd_decode_frame(AVCodecContext *avctx,
 
         /* make sure we don't write more than out_size samples */
         switch (code) {
-        case 0:  smp = 4;                              break;
-        case 1:  smp = 2;                              break;
+        case 0:  smp = 4*(count+1);                    break;
+        case 1:  smp = 2*(count+1);                    break;
         case 2:  smp = (count & 0x20) ? 1 : count + 1; break;
         default: smp = count + 1;                      break;
         }

