diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-01-25 01:20:26 +0400 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2012-04-08 13:23:19 +0400 |
| commit | 1edf848a81464afd514afbbbcb97b471d334e14a (patch) | |
| tree | f1202fa582a280efce78b0e912420cc7bd6544f4 /libavformat | |
| parent | f70c720d42d0e222b70fc580a36832a7b0ef89fa (diff) | |
nsvdec: Fix use of uninitialized streams.
Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b)
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d9780325ba6d89a37f2aeb925aa68e6a3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 65beb8c1173906b0541442713cb29e8ba44c47ef)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Diffstat (limited to 'libavformat')
| -rw-r--r-- | libavformat/nsvdec.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 44e5097d59..3a14cfa22c 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -609,12 +609,12 @@ null_chunk_retry: } /* map back streams to v,a */ - if (s->streams[0]) + if (s->nb_streams > 0) st[s->streams[0]->id] = s->streams[0]; - if (s->streams[1]) + if (s->nb_streams > 1) st[s->streams[1]->id] = s->streams[1]; - if (vsize/* && st[NSV_ST_VIDEO]*/) { + if (vsize && st[NSV_ST_VIDEO]) { nst = st[NSV_ST_VIDEO]->priv_data; pkt = &nsv->ahead[NSV_ST_VIDEO]; av_get_packet(pb, pkt, vsize); @@ -629,7 +629,7 @@ null_chunk_retry: if(st[NSV_ST_VIDEO]) ((NSVStream*)st[NSV_ST_VIDEO]->priv_data)->frame_offset++; - if (asize/*st[NSV_ST_AUDIO]*/) { + if (asize && st[NSV_ST_AUDIO]) { nst = st[NSV_ST_AUDIO]->priv_data; pkt = &nsv->ahead[NSV_ST_AUDIO]; /* read raw audio specific header on the first audio chunk... */ |