ws_snd1: Fix wrong samples counts.

Message ID 20120216201855.756515DF4D@aruru.libav.org
State New
Headers show

Commit Message

Janne Grunau Feb. 16, 2012, 8:18 p.m.
Module: libav
Branch: master
Commit: 9fb7a5af97d8c084c3af2566070d09eae0ab49fc

Author:    Michael Niedermayer <michaelni@gmx.at>
Committer: Justin Ruggles <justin.ruggles@gmail.com>
Date:      Sun Dec 25 00:10:27 2011 +0100

ws_snd1: Fix wrong samples counts.

This makes the check that avoids overwrite of the samples array actually
work properly.

fixes CVE-2012-0848
CC: libav-stable@libav.org

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>

---

 libavcodec/ws-snd1.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

Patch

diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c
index b2d086e..e8e4d15 100644
--- a/libavcodec/ws-snd1.c
+++ b/libavcodec/ws-snd1.c
@@ -112,8 +112,8 @@  static int ws_snd_decode_frame(AVCodecContext *avctx, void *data,
 
         /* make sure we don't write past the output buffer */
         switch (code) {
-        case 0:  smp = 4;                              break;
-        case 1:  smp = 2;                              break;
+        case 0:  smp = 4 * (count + 1);                break;
+        case 1:  smp = 2 * (count + 1);                break;
         case 2:  smp = (count & 0x20) ? 1 : count + 1; break;
         default: smp = count + 1;                      break;
         }