Commit d65d8347 authored by Michael Niedermayer's avatar Michael Niedermayer Committed by Anton Khirnov

wmalosslessdec: Reset put bit buffer when num_saved_bits is reset.

Fixes CVE-2012-2799

CC:libav-stable@libav.org

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarAnton Khirnov <anton@khirnov.net>
parent d05f72c7
...@@ -1230,6 +1230,7 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, ...@@ -1230,6 +1230,7 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr,
* to decode incomplete frames in the s->len_prefix == 0 case. */ * to decode incomplete frames in the s->len_prefix == 0 case. */
s->num_saved_bits = 0; s->num_saved_bits = 0;
s->packet_loss = 0; s->packet_loss = 0;
init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE);
} }
} else { } else {
...@@ -1282,6 +1283,7 @@ static void flush(AVCodecContext *avctx) ...@@ -1282,6 +1283,7 @@ static void flush(AVCodecContext *avctx)
s->next_packet_start = 0; s->next_packet_start = 0;
s->cdlms[0][0].order = 0; s->cdlms[0][0].order = 0;
s->frame.nb_samples = 0; s->frame.nb_samples = 0;
init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE);
} }
AVCodec ff_wmalossless_decoder = { AVCodec ff_wmalossless_decoder = {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment