Description: fix denial of service and possible code execution via crafted WebM file Origin: upstream, http://git.videolan.org/?p=ffmpeg.git;a=commit;h=5e3d023702587c137ac0a725d601d26a8978a125 Bug: https://roundup.ffmpeg.org/issue2548 Bug: https://roundup.ffmpeg.org/issue2550 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610550 diff -Nur ffmpeg-0.6/libavcodec/vorbis_dec.c ffmpeg-0.6.new/libavcodec/vorbis_dec.c --- ffmpeg-0.6/libavcodec/vorbis_dec.c 2011-03-31 10:37:33.642468371 -0400 +++ ffmpeg-0.6.new/libavcodec/vorbis_dec.c 2011-03-31 10:37:38.402468370 -0400 @@ -477,6 +477,7 @@ if (floor_setup->floor_type == 1) { uint_fast8_t maximum_class = 0; uint_fast8_t rangebits; + uint_fast32_t rangemax; uint_fast16_t floor1_values = 2; floor_setup->decode = vorbis_floor1_decode; @@ -530,8 +531,15 @@ rangebits = get_bits(gb, 4); + rangemax = (1 << rangebits); + if (rangemax > vc->blocksize[1] / 2) { + av_log(vc->avccontext, AV_LOG_ERROR, + "Floor value is too large for blocksize: %d (%d)\n", + rangemax, vc->blocksize[1] / 2); + return -1; + } floor_setup->data.t1.list[0].x = 0; - floor_setup->data.t1.list[1].x = (1 << rangebits); + floor_setup->data.t1.list[1].x = rangemax; for (j = 0; j < floor_setup->data.t1.partitions; ++j) { for (k = 0; k < floor_setup->data.t1.class_dimensions[floor_setup->data.t1.partition_class[j]]; ++k, ++floor1_values) {