dpcm: ignore extra unpaired bytes in stereo streams.

Fixes: CVE-2011-3951 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit ce7aee9b73)
2025-02-02 12:53:29 +00:00 · 2012-02-17 14:13:40 -08:00 · 2012-02-17 14:13:40 -08:00 · eaeaeb265f
commit eaeaeb265f
parent db315c796d
1 changed files with 6 additions and 1 deletions
--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@ -183,6 +183,11 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
    int stereo = s->channels - 1;
    int16_t *output_samples;

+    if (stereo && (buf_size & 1)) {
+        buf_size--;
+        buf_end--;
+    }
+
    /* calculate output size */
    switch(avctx->codec->id) {
    case CODEC_ID_ROQ_DPCM:
@ -317,7 +322,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
    *got_frame_ptr   = 1;
    *(AVFrame *)data = s->frame;

-    return buf_size;
+    return avpkt->size;
 }

 #define DPCM_DECODER(id_, name_, long_name_)                \