| Message ID | 1357252899-15479-1-git-send-email-siretart@tauware.de |
|---|---|
| State | New |
| Headers | show |
On 01/03/2013 05:41 PM, Reinhard Tartler wrote: > From: Michael Niedermayer <michaelni@gmx.at> > > Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind > Fixes: CVE-2012-2797 > (based on FFmpeg commit cca9528524c7a4b91451f4322bd50849af5d057e) > > CC: libav-stable@libav.org > > Signed-off-by: Michael Niedermayer <michaelni@gmx.at> > Signed-off-by: Reinhard Tartler <siretart@tauware.de> > --- > libavcodec/mpegaudiodec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c > index fda0280..ed87fd5 100644 > --- a/libavcodec/mpegaudiodec.c > +++ b/libavcodec/mpegaudiodec.c > @@ -1905,7 +1905,7 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data, > int fr, ch, ret; > > /* get output buffer */ > - s->frame->nb_samples = MPA_FRAME_SIZE; > + s->frame->nb_samples = s->frames * MPA_FRAME_SIZE; > if ((ret = ff_get_buffer(avctx, s->frame)) < 0) { > av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); > return ret; The patch is wrong. There is no issue. -Justin
On Fri, Jan 4, 2013 at 12:21 AM, Justin Ruggles <justin.ruggles@gmail.com> wrote: > On 01/03/2013 05:41 PM, Reinhard Tartler wrote: >> From: Michael Niedermayer <michaelni@gmx.at> >> >> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind >> Fixes: CVE-2012-2797 >> (based on FFmpeg commit cca9528524c7a4b91451f4322bd50849af5d057e) >> >> CC: libav-stable@libav.org >> >> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> >> Signed-off-by: Reinhard Tartler <siretart@tauware.de> >> --- >> libavcodec/mpegaudiodec.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c >> index fda0280..ed87fd5 100644 >> --- a/libavcodec/mpegaudiodec.c >> +++ b/libavcodec/mpegaudiodec.c >> @@ -1905,7 +1905,7 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data, >> int fr, ch, ret; >> >> /* get output buffer */ >> - s->frame->nb_samples = MPA_FRAME_SIZE; >> + s->frame->nb_samples = s->frames * MPA_FRAME_SIZE; >> if ((ret = ff_get_buffer(avctx, s->frame)) < 0) { >> av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); >> return ret; > > The patch is wrong. There is no issue. Thanks for the review!
diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c index fda0280..ed87fd5 100644 --- a/libavcodec/mpegaudiodec.c +++ b/libavcodec/mpegaudiodec.c @@ -1905,7 +1905,7 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data, int fr, ch, ret; /* get output buffer */ - s->frame->nb_samples = MPA_FRAME_SIZE; + s->frame->nb_samples = s->frames * MPA_FRAME_SIZE; if ((ret = ff_get_buffer(avctx, s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret;