virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00
Code Issues Releases Activity

diracdec: Check num_refs.

Browse Source 
Fixes: CVE-2011-3950

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2012-01-26 16:51:01 +01:00
parent e2291ea153
commit ddf0c1d86a
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
libavcodec/diracdec.c
View File

@ -1722,6 +1722,7 @@ static int dirac_decode_data_unit(AVCodecContext *avctx, const uint8_t *buf, int
DiracContext *s = avctx->priv_data;
DiracFrame *pic = NULL;
int i, parse_code = buf[4];
unsigned tmp;
if (size < DATA_UNIT_HEADER_SIZE)
return -1;
@ -1772,7 +1773,12 @@ static int dirac_decode_data_unit(AVCodecContext *avctx, const uint8_t *buf, int
avcodec_get_frame_defaults(&pic->avframe);
/* [DIRAC_STD] Defined in 9.6.1 ... */
s->num_refs = parse_code & 0x03; /* [DIRAC_STD] num_refs() */
tmp = parse_code & 0x03; /* [DIRAC_STD] num_refs() */
if (tmp > 2) {
av_log(avctx, AV_LOG_ERROR, "num_refs of 3\n");
return -1;
}
s->num_refs = tmp;
s->is_arith = (parse_code & 0x48) == 0x08; /* [DIRAC_STD] using_ac() */
s->low_delay = (parse_code & 0x88) == 0x88; /* [DIRAC_STD] is_low_delay() */
pic->avframe.reference = (parse_code & 0x0C) == 0x0C; /* [DIRAC_STD] is_reference() */