Description: fix arbitrary code execution via malformed CAVS file Origin: upstream, http://git.videolan.org/?p=ffmpeg.git;a=commit;h=4a71da0f3ab7f5542decd11c81994f849d5b2c78 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641478 diff -Nur ffmpeg-0.6/libavcodec/cavsdec.c ffmpeg-0.6.new/libavcodec/cavsdec.c --- ffmpeg-0.6/libavcodec/cavsdec.c 2010-04-20 10:45:34.000000000 -0400 +++ ffmpeg-0.6.new/libavcodec/cavsdec.c 2011-09-16 09:32:39.406352284 -0400 @@ -130,12 +130,14 @@ r++; mask = -(level_code & 1); level = (level^mask) - mask; - } else { + } else if (level_code >= 0) { level = r->rltab[level_code][0]; if(!level) //end of block signal break; run = r->rltab[level_code][1]; r += r->rltab[level_code][2]; + } else { + break; } level_buf[i] = level; run_buf[i] = run; @@ -189,7 +191,8 @@ static int decode_mb_i(AVSContext *h, int cbp_code) { GetBitContext *gb = &h->s.gb; - int block, pred_mode_uv; + unsigned pred_mode_uv; + int block; uint8_t top[18]; uint8_t *left = NULL; uint8_t *d; @@ -445,6 +448,8 @@ if((show_bits_long(gb,24+align) & 0xFFFFFF) == 0x000001) { skip_bits_long(gb,24+align); h->stc = get_bits(gb,8); + if (h->stc >= h->mb_height) + return 0; decode_slice_header(h,gb); return 1; } @@ -659,7 +664,7 @@ buf_end = buf + buf_size; for(;;) { buf_ptr = ff_find_start_code(buf_ptr,buf_end, &stc); - if(stc & 0xFFFFFE00) + if((stc & 0xFFFFFE00) || buf_ptr == buf_end) return FFMAX(0, buf_ptr - buf - s->parse_context.last_index); input_size = (buf_end - buf_ptr)*8; switch(stc) {