Commit 66197988 authored by Thilo Borgmann's avatar Thilo Borgmann Committed by Justin Ruggles

alsdec: fix number of decoded samples in first sub-block in BGMC mode.

Fixes CVE-2012-2790

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
Signed-off-by: 's avatarJustin Ruggles <justin.ruggles@gmail.com>
parent 97f0efbf
...@@ -770,7 +770,6 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) ...@@ -770,7 +770,6 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
int delta[8]; int delta[8];
unsigned int k [8]; unsigned int k [8];
unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5); unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5);
unsigned int i;
// read most significant bits // read most significant bits
unsigned int high; unsigned int high;
...@@ -782,28 +781,29 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) ...@@ -782,28 +781,29 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
current_res = bd->raw_samples + start; current_res = bd->raw_samples + start;
for (sb = 0; sb < sub_blocks; sb++) { for (sb = 0; sb < sub_blocks; sb++) {
unsigned int sb_len = sb_length - (sb ? 0 : start);
k [sb] = s[sb] > b ? s[sb] - b : 0; k [sb] = s[sb] > b ? s[sb] - b : 0;
delta[sb] = 5 - s[sb] + k[sb]; delta[sb] = 5 - s[sb] + k[sb];
ff_bgmc_decode(gb, sb_length, current_res, ff_bgmc_decode(gb, sb_len, current_res,
delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status); delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status);
current_res += sb_length; current_res += sb_len;
} }
ff_bgmc_decode_end(gb); ff_bgmc_decode_end(gb);
// read least significant bits and tails // read least significant bits and tails
i = start;
current_res = bd->raw_samples + start; current_res = bd->raw_samples + start;
for (sb = 0; sb < sub_blocks; sb++, i = 0) { for (sb = 0; sb < sub_blocks; sb++, start = 0) {
unsigned int cur_tail_code = tail_code[sx[sb]][delta[sb]]; unsigned int cur_tail_code = tail_code[sx[sb]][delta[sb]];
unsigned int cur_k = k[sb]; unsigned int cur_k = k[sb];
unsigned int cur_s = s[sb]; unsigned int cur_s = s[sb];
for (; i < sb_length; i++) { for (; start < sb_length; start++) {
int32_t res = *current_res; int32_t res = *current_res;
if (res == cur_tail_code) { if (res == cur_tail_code) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment