mirror of https://git.ffmpeg.org/ffmpeg.git
nsvdec: Fix use of uninitialized streams.
Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc)
Signed-off-by: Alex Converse <alex.converse@gmail.com>
This commit is contained in:
Michael Niedermayer
Alex Converse
parent
b7d3dd907f
commit
6a89b41d97
|
|
@ -605,12 +605,12 @@ null_chunk_retry:
|
||||||
}
|
}
|
||||||
|
|
||||||
/* map back streams to v,a */
|
/* map back streams to v,a */
|
||||||
if (s->streams[0])
|
if (s->nb_streams > 0)
|
||||||
st[s->streams[0]->id] = s->streams[0];
|
st[s->streams[0]->id] = s->streams[0];
|
||||||
if (s->streams[1])
|
if (s->nb_streams > 1)
|
||||||
st[s->streams[1]->id] = s->streams[1];
|
st[s->streams[1]->id] = s->streams[1];
|
||||||
|
|
||||||
if (vsize/* && st[NSV_ST_VIDEO]*/) {
|
if (vsize && st[NSV_ST_VIDEO]) {
|
||||||
nst = st[NSV_ST_VIDEO]->priv_data;
|
nst = st[NSV_ST_VIDEO]->priv_data;
|
||||||
pkt = &nsv->ahead[NSV_ST_VIDEO];
|
pkt = &nsv->ahead[NSV_ST_VIDEO];
|
||||||
av_get_packet(pb, pkt, vsize);
|
av_get_packet(pb, pkt, vsize);
|
||||||
|
|
@ -623,7 +623,7 @@ null_chunk_retry:
|
||||||
if(st[NSV_ST_VIDEO])
|
if(st[NSV_ST_VIDEO])
|
||||||
((NSVStream*)st[NSV_ST_VIDEO]->priv_data)->frame_offset++;
|
((NSVStream*)st[NSV_ST_VIDEO]->priv_data)->frame_offset++;
|
||||||
|
|
||||||
if (asize/*st[NSV_ST_AUDIO]*/) {
|
if (asize && st[NSV_ST_AUDIO]) {
|
||||||
nst = st[NSV_ST_AUDIO]->priv_data;
|
nst = st[NSV_ST_AUDIO]->priv_data;
|
||||||
pkt = &nsv->ahead[NSV_ST_AUDIO];
|
pkt = &nsv->ahead[NSV_ST_AUDIO];
|
||||||
/* read raw audio specific header on the first audio chunk... */
|
/* read raw audio specific header on the first audio chunk... */
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue