ws_snd1: Fix wrong samples count and crash.
authorMichael Niedermayer <michaelni@gmx.at>
Sat, 24 Dec 2011 23:10:27 +0000 (00:10 +0100)
committerReinhard Tartler <siretart@tauware.de>
Sun, 1 Apr 2012 16:33:29 +0000 (18:33 +0200)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9fb7a5af97d8c084c3af2566070d09eae0ab49fc)

Addresses CVE-2012-0848

Reviewed-by: Justin Ruggles <justin.ruggles@gmail.com>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 697a45d861b7cd6a96718383a44f41348487f844)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
libavcodec/ws-snd1.c

index 06bd18c..e17c84c 100644 (file)
@@ -95,8 +95,8 @@ static int ws_snd_decode_frame(AVCodecContext *avctx,
 
         /* make sure we don't write more than out_size samples */
         switch (code) {
-        case 0:  smp = 4;                              break;
-        case 1:  smp = 2;                              break;
+        case 0:  smp = 4*(count+1);                    break;
+        case 1:  smp = 2*(count+1);                    break;
         case 2:  smp = (count & 0x20) ? 1 : count + 1; break;
         default: smp = count + 1;                      break;
         }