mirror of https://git.ffmpeg.org/ffmpeg.git
apedec: prevent out of array writes in decode_array_0000
s->decoded_buffer is allocated with a min_size of: 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer) Then it is assigned to s->decoded[0] (and s->decoded_buffer + FFALIGN(blockstodecode, 8) to s->decoded[1]) and passed as out buffer to decode_array_0000. In this function 64 elements of the out buffer are written unconditionally and outside the array if blockstodecode is too small. This causes memory corruption, leading to segmentation faults or other crashes. Thus change decode_array_0000 to write at most blockstodecode elements of the out buffer. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
parent
91305c6026
commit
699341d647
|
@ -592,14 +592,14 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb,
|
|||
int ksummax, ksummin;
|
||||
|
||||
rice->ksum = 0;
|
||||
for (i = 0; i < 5; i++) {
|
||||
for (i = 0; i < FFMIN(blockstodecode, 5); i++) {
|
||||
out[i] = get_rice_ook(&ctx->gb, 10);
|
||||
rice->ksum += out[i];
|
||||
}
|
||||
rice->k = av_log2(rice->ksum / 10) + 1;
|
||||
if (rice->k >= 24)
|
||||
return;
|
||||
for (; i < 64; i++) {
|
||||
for (; i < FFMIN(blockstodecode, 64); i++) {
|
||||
out[i] = get_rice_ook(&ctx->gb, rice->k);
|
||||
rice->ksum += out[i];
|
||||
rice->k = av_log2(rice->ksum / ((i + 1) * 2)) + 1;
|
||||
|
|
Loading…
Reference in New Issue