dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936.

Found with asan. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Alex Converse <alex.converse@gmail.com>
2012-01-26 15:08:26 -08:00 · 2012-01-26 15:08:26 -08:00 · 2d1c0dea5f
commit 2d1c0dea5f
parent 5a396bb3a6
1 changed files with 5 additions and 6 deletions
--- a/libavformat/dv.c
+++ b/libavformat/dv.c
@ -127,10 +127,14 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4],
    /* We work with 720p frames split in half, thus even frames have
     * channels 0,1 and odd 2,3. */
    ipcm = (sys->height == 720 && !(frame[1] & 0x0C)) ? 2 : 0;
-    pcm  = ppcm[ipcm++];

    /* for each DIF channel */
    for (chan = 0; chan < sys->n_difchan; chan++) {
+        /* next stereo channel (50Mbps and 100Mbps only) */
+        pcm = ppcm[ipcm++];
+        if (!pcm)
+            break;
+
        /* for each DIF segment */
        for (i = 0; i < sys->difseg_size; i++) {
            frame += 6 * 80; /* skip DIF segment header */
@ -178,11 +182,6 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4],
                frame += 16 * 80; /* 15 Video DIFs + 1 Audio DIF */
            }
        }
-
-        /* next stereo channel (50Mbps and 100Mbps only) */
-        pcm = ppcm[ipcm++];
-        if (!pcm)
-            break;
    }

    return size;