Commit 6a99310f authored by Anton Khirnov's avatar Anton Khirnov

wmalosslessdec: Fix reading too many bits in decode_channel_residues()

Fixes a part of CVE-2012-2795

CC:libav-stable@libav.org

Based on a patch by Michael Niedermayer <michaelni@gmx.at>

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
parent f48fbf2e
...@@ -520,7 +520,7 @@ static int decode_channel_residues(WmallDecodeCtx *s, int ch, int tile_size) ...@@ -520,7 +520,7 @@ static int decode_channel_residues(WmallDecodeCtx *s, int ch, int tile_size)
residue = quo; residue = quo;
else { else {
rem_bits = av_ceil_log2(ave_mean); rem_bits = av_ceil_log2(ave_mean);
rem = rem_bits ? get_bits(&s->gb, rem_bits) : 0; rem = rem_bits ? get_bits_long(&s->gb, rem_bits) : 0;
residue = (quo << rem_bits) + rem; residue = (quo << rem_bits) + rem;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment