changeset 6742:81ec037b6151 libavcodec

Fix memset(0) based buffer overflow.
author michael
date Sat, 03 May 2008 20:56:57 +0000
parents 8d6c07df5afd
children 25c5f3b5e902
files alac.c
diffstat 1 files changed, 6 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/alac.c	Sat May 03 17:28:25 2008 +0000
+++ b/alac.c	Sat May 03 20:56:57 2008 +0000
@@ -199,7 +199,8 @@
 
         /* special case: there may be compressed blocks of 0 */
         if ((history < 128) && (output_count+1 < output_size)) {
-            int block_size, k;
+            int k;
+            unsigned int block_size;
 
             sign_modifier = 1;
 
@@ -208,6 +209,10 @@
             block_size= decode_scalar(&alac->gb, k, rice_kmodifier, 16);
 
             if (block_size > 0) {
+                if(block_size >= output_size - output_count){
+                    av_log(alac->avctx, AV_LOG_ERROR, "invalid zero block size of %d %d %d\n", block_size, output_size, output_count);
+                    block_size= output_size - output_count - 1;
+                }
                 memset(&output_buffer[output_count+1], 0, block_size * 4);
                 output_count += block_size;
             }