# HG changeset patch # User michael # Date 1169435940 0 # Node ID 77bd711c0aed710eee3c71859a5979d054ee42d9 # Parent b959208ba904aa2212b0896cbe84af90e923735e adding a few checks to the audio packet descrambling, this should hopefully catch all related out of array accesses note, the original code might have been exploitable diff -r b959208ba904 -r 77bd711c0aed asf.c --- a/asf.c Mon Jan 22 01:21:16 2007 +0000 +++ b/asf.c Mon Jan 22 03:19:00 2007 +0000 @@ -244,7 +244,8 @@ // asf_st->ds_data_size, asf_st->ds_span, asf_st->ds_silence_data); if (asf_st->ds_span > 1) { if (!asf_st->ds_chunk_size - || (asf_st->ds_packet_size/asf_st->ds_chunk_size <= 1)) + || (asf_st->ds_packet_size/asf_st->ds_chunk_size <= 1) + || asf_st->ds_packet_size % asf_st->ds_chunk_size) asf_st->ds_span = 0; // disable descrambling } switch (st->codec->codec_id) { @@ -702,6 +703,9 @@ if (asf_st->frag_offset == asf_st->pkt.size) { /* return packet */ if (asf_st->ds_span > 1) { + if(asf_st->pkt.size != asf_st->ds_packet_size * asf_st->ds_span){ + av_log(s, AV_LOG_ERROR, "pkt.size != ds_packet_size * ds_span\n"); + }else{ /* packet descrambling */ uint8_t *newdata = av_malloc(asf_st->pkt.size); if (newdata) { @@ -712,6 +716,9 @@ int col = off % asf_st->ds_span; int idx = row + col * asf_st->ds_packet_size / asf_st->ds_chunk_size; //printf("off:%d row:%d col:%d idx:%d\n", off, row, col, idx); + + assert(offset + asf_st->ds_chunk_size <= asf_st->pkt.size); + assert(idx+1 <= asf_st->pkt.size / asf_st->ds_chunk_size); memcpy(newdata + offset, asf_st->pkt.data + idx * asf_st->ds_chunk_size, asf_st->ds_chunk_size); @@ -720,6 +727,7 @@ av_free(asf_st->pkt.data); asf_st->pkt.data = newdata; } + } } asf_st->frag_offset = 0; *pkt= asf_st->pkt;