dv: Fix out of array read

Fixes part of CVE-2011-3936 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2025-10-30 23:18:11 +02:00 · 2012-01-25 04:51:06 +01:00
parent 8847561f93
commit 88d84dd8ea
1 changed files with 6 additions and 4 deletions
--- a/libavformat/dv.c
+++ b/libavformat/dv.c
@@ -35,6 +35,7 @@
 #include "libavutil/intreadwrite.h"
 #include "libavutil/mathematics.h"
 #include "dv.h"
+#include "libavutil/avassert.h"

 struct DVDemuxContext {
    const DVprofile*  sys;    /* Current DV profile. E.g.: 525/60, 625/50 */
@@ -130,15 +131,19 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4],
    /* We work with 720p frames split in half, thus even frames have
     * channels 0,1 and odd 2,3. */
    ipcm = (sys->height == 720 && !(frame[1] & 0x0C)) ? 2 : 0;
-    pcm  = ppcm[ipcm++];

    /* for each DIF channel */
    for (chan = 0; chan < sys->n_difchan; chan++) {
+        av_assert0(ipcm<4);
+        pcm = ppcm[ipcm++];
+        if (!pcm)
+            break;
        /* for each DIF segment */
        for (i = 0; i < sys->difseg_size; i++) {
            frame += 6 * 80; /* skip DIF segment header */
            if (quant == 1 && i == half_ch) {
                /* next stereo channel (12bit mode only) */
+                av_assert0(ipcm<4);
                pcm = ppcm[ipcm++];
                if (!pcm)
                    break;
@@ -183,9 +188,6 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4],
        }

        /* next stereo channel (50Mbps and 100Mbps only) */
-        pcm = ppcm[ipcm++];
-        if (!pcm)
-            break;
    }

    return size;