--- xine-lib-1.1.0/src/libffmpeg/libavcodec/4xm.c.cve-2006-4800 2005-05-05 22:19:17.000000000 -0600
+++ xine-lib-1.1.0/src/libffmpeg/libavcodec/4xm.c 2006-09-25 11:12:27.000000000 -0600
@@ -606,7 +606,7 @@ static int decode_frame(AVCodecContext *
int i, frame_4cc, frame_size;
frame_4cc= get32(buf);
- if(buf_size != get32(buf+4)+8){
+ if(buf_size != get32(buf+4)+8 || buf_size < 20){
av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, get32(buf+4));
}
@@ -634,6 +634,10 @@ static int decode_frame(AVCodecContext *
cfrm= &f->cfrm[i];
cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE);
+ if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL
+ av_log(f->avctx, AV_LOG_ERROR, "realloc falure");
+ return -1;
+ }
memcpy(cfrm->data + cfrm->size, buf+20, data_size);
cfrm->size += data_size;
--- xine-lib-1.1.0/src/libffmpeg/libavcodec/alac.c.cve-2006-4800 2005-07-19 14:30:39.000000000 -0600
+++ xine-lib-1.1.0/src/libffmpeg/libavcodec/alac.c 2006-09-25 11:12:27.000000000 -0600
@@ -92,6 +92,10 @@ void alac_set_info(ALACContext *alac)
ptr += 4; /* alac */
ptr += 4; /* 0 ? */
+ if(BE_32(ptr) >= UINT_MAX/4){
+ av_log(alac->avctx, AV_LOG_ERROR, "setinfo_max_samples_per_frame too large\n");
+ return -1;
+ }
alac->setinfo_max_samples_per_frame = BE_32(ptr); /* buffer size / 2 ? */
ptr += 4;
alac->setinfo_7a = *ptr++;
@@ -110,6 +114,8 @@ void alac_set_info(ALACContext *alac)
ptr += 4;
allocate_buffers(alac);
+
+ return 0;
}
/* hideously inefficient. could use a bitmask search,
--- xine-lib-1.1.0/src/libffmpeg/libavcodec/shorten.c.cve-2006-4800 2005-04-18 23:20:37.000000000 -0600
+++ xine-lib-1.1.0/src/libffmpeg/libavcodec/shorten.c 2006-09-25 11:12:27.000000000 -0600
@@ -106,18 +106,27 @@ static int shorten_decode_init(AVCodecCo
return 0;
}
-static void allocate_buffers(ShortenContext *s)
+static int allocate_buffers(ShortenContext *s)
{
int i, chan;
for (chan=0; chan<s->channels; chan++) {
+ if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){
+ av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n");
+ return -1;
+ }
+ if(s->blocksize + s->nwrap >= UINT_MAX/sizeof(int32_t) || s->blocksize + s->nwrap <= (unsigned)s->nwrap){
+ av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n");
+ return -1;
+ }
+
s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));
s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
for (i=0; i<s->nwrap; i++)
s->decoded[chan][i] = 0;
s->decoded[chan] += s->nwrap;
-
}
+ return 0;
}
--- xine-lib-1.1.0/src/libffmpeg/libavcodec/vorbis.c.cve-2006-4800 2005-07-19 14:31:07.000000000 -0600
+++ xine-lib-1.1.0/src/libffmpeg/libavcodec/vorbis.c 2006-09-25 11:12:27.000000000 -0600
@@ -743,10 +743,17 @@ static int vorbis_parse_id_hdr(vorbis_co
bl1=get_bits(gb, 4);
vc->blocksize_0=(1<<bl0);
vc->blocksize_1=(1<<bl1);
- if (bl0>13 || bl0<6 || bl1>13 || bl1<6) {
+ if (bl0>13 || bl0<6 || bl1>13 || bl1<6 || bl1<bl0) {
av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis id header packet corrupt (illegal blocksize). \n");
return 3;
}
+ // output format int16
+ if (vc->blocksize_1/2 * vc->audio_channels * 2 >
+ AVCODEC_MAX_AUDIO_FRAME_SIZE) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "Vorbis channel count makes "
+ "output packets too large.\n");
+ return 4;
+ }
vc->swin=vwin[bl0-6];
vc->lwin=vwin[bl1-6];
--- xine-lib-1.1.0/src/libffmpeg/libavcodec/snow.c.cve-2006-4800 2005-05-27 19:40:41.000000000 -0600
+++ xine-lib-1.1.0/src/libffmpeg/libavcodec/snow.c 2006-09-25 11:17:49.000000000 -0600
@@ -3176,6 +3176,11 @@ static int decode_header(SnowContext *s)
s->mv_scale= get_symbol(&s->c, s->header_state, 0);
s->qbias= get_symbol(&s->c, s->header_state, 1);
s->block_max_depth= get_symbol(&s->c, s->header_state, 0);
+ if(s->block_max_depth > 1 || s->block_max_depth < 0){
+ av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large", s->block_max_depth);
+ s->block_max_depth= 0;
+ return -1;
+ }
return 0;
}
