wmalosslessdec: increase channel_coeffs/residues size

Fixes CVE-2012-2792 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

wmalosslessdec: increase channel_coeffs/residues size
Fixes CVE-2012-2792 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
065b3a1c · Anton Khirnov · 4a969030 · 065b3a1c
Commit 065b3a1c authored Sep 29, 2012 by Anton Khirnov
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 2 deletions

wmalosslessdec.c libavcodec/wmalosslessdec.c +5 -2

No files found.
--- a/libavcodec/wmalosslessdec.c
+++ b/libavcodec/wmalosslessdec.c
@@ -23,6 +23,8 @@
 */

 #include "libavutil/attributes.h"
+#include "libavutil/avassert.h"
+
 #include "avcodec.h"
 #include "internal.h"
 #include "get_bits.h"
@@ -158,14 +160,14 @@ typedef struct WmallDecodeCtx {

    int ave_sum[2];

-    int channel_residues[2][2048];
+    int channel_residues[2][WMALL_BLOCK_MAX_SIZE];

    int lpc_coefs[2][40];
    int lpc_order;
    int lpc_scaling;
    int lpc_intbits;

-    int channel_coeffs[2][2048];
+    int channel_coeffs[2][WMALL_BLOCK_MAX_SIZE];
 } WmallDecodeCtx;


@@ -215,6 +217,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
    /* get frame len */
    s->samples_per_frame = 1 << ff_wma_get_frame_len_bits(avctx->sample_rate,
                                                          3, s->decode_flags);
+    av_assert0(s->samples_per_frame <= WMALL_BLOCK_MAX_SIZE);

    /* init previous block len */
    for (i = 0; i < avctx->channels; i++)