mp3on4: allocate a large enough frame.

Message ID 1357252899-15479-1-git-send-email-siretart@tauware.de
State New
Headers show

Commit Message

Reinhard Tartler Jan. 3, 2013, 10:41 p.m.
From: Michael Niedermayer <michaelni@gmx.at>

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Fixes: CVE-2012-2797
(based on FFmpeg commit cca9528524c7a4b91451f4322bd50849af5d057e)

CC: libav-stable@libav.org

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/mpegaudiodec.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Justin Ruggles Jan. 3, 2013, 11:21 p.m. | #1
On 01/03/2013 05:41 PM, Reinhard Tartler wrote:
> From: Michael Niedermayer <michaelni@gmx.at>
> 
> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> Fixes: CVE-2012-2797
> (based on FFmpeg commit cca9528524c7a4b91451f4322bd50849af5d057e)
> 
> CC: libav-stable@libav.org
> 
> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
> Signed-off-by: Reinhard Tartler <siretart@tauware.de>
> ---
>  libavcodec/mpegaudiodec.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
> index fda0280..ed87fd5 100644
> --- a/libavcodec/mpegaudiodec.c
> +++ b/libavcodec/mpegaudiodec.c
> @@ -1905,7 +1905,7 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data,
>      int fr, ch, ret;
>  
>      /* get output buffer */
> -    s->frame->nb_samples = MPA_FRAME_SIZE;
> +    s->frame->nb_samples = s->frames * MPA_FRAME_SIZE;
>      if ((ret = ff_get_buffer(avctx, s->frame)) < 0) {
>          av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
>          return ret;

The patch is wrong. There is no issue.

-Justin
Reinhard Tartler Jan. 3, 2013, 11:36 p.m. | #2
On Fri, Jan 4, 2013 at 12:21 AM, Justin Ruggles
<justin.ruggles@gmail.com> wrote:
> On 01/03/2013 05:41 PM, Reinhard Tartler wrote:
>> From: Michael Niedermayer <michaelni@gmx.at>
>>
>> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
>> Fixes: CVE-2012-2797
>> (based on FFmpeg commit cca9528524c7a4b91451f4322bd50849af5d057e)
>>
>> CC: libav-stable@libav.org
>>
>> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
>> Signed-off-by: Reinhard Tartler <siretart@tauware.de>
>> ---
>>  libavcodec/mpegaudiodec.c |    2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
>> index fda0280..ed87fd5 100644
>> --- a/libavcodec/mpegaudiodec.c
>> +++ b/libavcodec/mpegaudiodec.c
>> @@ -1905,7 +1905,7 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data,
>>      int fr, ch, ret;
>>
>>      /* get output buffer */
>> -    s->frame->nb_samples = MPA_FRAME_SIZE;
>> +    s->frame->nb_samples = s->frames * MPA_FRAME_SIZE;
>>      if ((ret = ff_get_buffer(avctx, s->frame)) < 0) {
>>          av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
>>          return ret;
>
> The patch is wrong. There is no issue.

Thanks for the review!

Patch

diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
index fda0280..ed87fd5 100644
--- a/libavcodec/mpegaudiodec.c
+++ b/libavcodec/mpegaudiodec.c
@@ -1905,7 +1905,7 @@  static int decode_frame_mp3on4(AVCodecContext *avctx, void *data,
     int fr, ch, ret;
 
     /* get output buffer */
-    s->frame->nb_samples = MPA_FRAME_SIZE;
+    s->frame->nb_samples = s->frames * MPA_FRAME_SIZE;
     if ((ret = ff_get_buffer(avctx, s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;