From 065b3a1cfa3f23aedf76244b3f3883ba913173ff Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 29 Sep 2012 08:40:42 +0200 Subject: [PATCH] wmalosslessdec: increase channel_coeffs/residues size Fixes CVE-2012-2792 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind --- libavcodec/wmalosslessdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 8300b17184..c67a392bfe 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -23,6 +23,8 @@ */ #include "libavutil/attributes.h" +#include "libavutil/avassert.h" + #include "avcodec.h" #include "internal.h" #include "get_bits.h" @@ -158,14 +160,14 @@ typedef struct WmallDecodeCtx { int ave_sum[2]; - int channel_residues[2][2048]; + int channel_residues[2][WMALL_BLOCK_MAX_SIZE]; int lpc_coefs[2][40]; int lpc_order; int lpc_scaling; int lpc_intbits; - int channel_coeffs[2][2048]; + int channel_coeffs[2][WMALL_BLOCK_MAX_SIZE]; } WmallDecodeCtx; @@ -215,6 +217,7 @@ static av_cold int decode_init(AVCodecContext *avctx) /* get frame len */ s->samples_per_frame = 1 << ff_wma_get_frame_len_bits(avctx->sample_rate, 3, s->decode_flags); + av_assert0(s->samples_per_frame <= WMALL_BLOCK_MAX_SIZE); /* init previous block len */ for (i = 0; i < avctx->channels; i++)