[FFmpeg-cvslog] dpcm: Round output buffer size up.
Michael Niedermayer
git at videolan.org
Thu Jan 26 17:15:54 CET 2012
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Thu Jan 26 17:04:51 2012 +0100| [92115bb685914cbfeb02fed26d5acd50dea03d7e] | committer: Michael Niedermayer
dpcm: Round output buffer size up.
Fixes: CVE-2011-3951
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=92115bb685914cbfeb02fed26d5acd50dea03d7e
---
libavcodec/dpcm.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c
index 929458a..8240221 100644
--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -205,9 +205,12 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
av_log(avctx, AV_LOG_ERROR, "packet is too small\n");
return AVERROR(EINVAL);
}
+ if (out % s->channels) {
+ av_log(avctx, AV_LOG_WARNING, "channels have differing number of samples\n");
+ }
/* get output buffer */
- s->frame.nb_samples = out / s->channels;
+ s->frame.nb_samples = (out + s->channels - 1) / s->channels;
if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
return ret;
More information about the ffmpeg-cvslog
mailing list