From 607f57152c59bcec26caaf2060a86d96f76c4e8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Apr 2012 14:49:22 +0200 Subject: wmalosslessdec: make MCLMS arrays big enough for what is written into them. Fixes a part of CVE-2012-2795 CC:libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov --- libavcodec/wmalosslessdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'libavcodec/wmalosslessdec.c') diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index c67a392bfe..cfa877f086 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -129,8 +129,8 @@ typedef struct WmallDecodeCtx { int8_t mclms_scaling; int16_t mclms_coeffs[128]; int16_t mclms_coeffs_cur[4]; - int16_t mclms_prevvalues[64]; - int16_t mclms_updates[64]; + int16_t mclms_prevvalues[WMALL_MAX_CHANNELS * 2 * 32]; + int16_t mclms_updates[WMALL_MAX_CHANNELS * 2 * 32]; int mclms_recent; int movave_scaling; -- cgit v1.2.3 From f48fbf2eb5ba7015c65b31c266edf399dd6a82b1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Apr 2012 14:50:25 +0200 Subject: wmalosslessdec: fix a get_bits(0) in decode_ac_filter Fixes a part of CVE-2012-2795 CC:libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov --- libavcodec/wmalosslessdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'libavcodec/wmalosslessdec.c') diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index cfa877f086..dc83b0607b 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -406,7 +406,8 @@ static void decode_ac_filter(WmallDecodeCtx *s) s->acfilter_scaling = get_bits(&s->gb, 4); for (i = 0; i < s->acfilter_order; i++) - s->acfilter_coeffs[i] = get_bits(&s->gb, s->acfilter_scaling) + 1; + s->acfilter_coeffs[i] = (s->acfilter_scaling ? + get_bits(&s->gb, s->acfilter_scaling) : 0) + 1; } static void decode_mclms(WmallDecodeCtx *s) -- cgit v1.2.3 From 6a99310fce49f51773ab7d8ffa4f4748bbf58db9 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 29 Sep 2012 19:16:32 +0200 Subject: wmalosslessdec: Fix reading too many bits in decode_channel_residues() Fixes a part of CVE-2012-2795 CC:libav-stable@libav.org Based on a patch by Michael Niedermayer Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'libavcodec/wmalosslessdec.c') diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index dc83b0607b..b97f39752c 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -520,7 +520,7 @@ static int decode_channel_residues(WmallDecodeCtx *s, int ch, int tile_size) residue = quo; else { rem_bits = av_ceil_log2(ave_mean); - rem = rem_bits ? get_bits(&s->gb, rem_bits) : 0; + rem = rem_bits ? get_bits_long(&s->gb, rem_bits) : 0; residue = (quo << rem_bits) + rem; } -- cgit v1.2.3