--- gst-ffmpeg-0.8.6/gst-libs/ext/ffmpeg/libavcodec/4xm.c.cve-2006-4800 2005-07-20 09:39:33.000000000 -0600 +++ gst-ffmpeg-0.8.6/gst-libs/ext/ffmpeg/libavcodec/4xm.c 2006-09-21 14:47:58.000000000 -0600 @@ -606,7 +606,7 @@ static int decode_frame(AVCodecContext * int i, frame_4cc, frame_size; frame_4cc= get32(buf); - if(buf_size != get32(buf+4)+8){ + if(buf_size != get32(buf+4)+8 || buf_size < 20){ av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, get32(buf+4)); } @@ -634,6 +634,10 @@ static int decode_frame(AVCodecContext * cfrm= &f->cfrm[i]; cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE); + if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL + av_log(f->avctx, AV_LOG_ERROR, "realloc falure"); + return -1; + } memcpy(cfrm->data + cfrm->size, buf+20, data_size); cfrm->size += data_size; --- gst-ffmpeg-0.8.6/gst-libs/ext/ffmpeg/libavcodec/alac.c.cve-2006-4800 2005-07-20 09:39:33.000000000 -0600 +++ gst-ffmpeg-0.8.6/gst-libs/ext/ffmpeg/libavcodec/alac.c 2006-09-21 14:45:52.000000000 -0600 @@ -92,6 +92,10 @@ void alac_set_info(ALACContext *alac) ptr += 4; /* alac */ ptr += 4; /* 0 ? */ + if(BE_32(ptr) >= UINT_MAX/4){ + av_log(alac->avctx, AV_LOG_ERROR, "setinfo_max_samples_per_frame too large\n"); + return -1; + } alac->setinfo_max_samples_per_frame = BE_32(ptr); /* buffer size / 2 ? */ ptr += 4; alac->setinfo_7a = *ptr++; @@ -110,6 +114,8 @@ void alac_set_info(ALACContext *alac) ptr += 4; allocate_buffers(alac); + + return 0; } /* hideously inefficient. could use a bitmask search, --- gst-ffmpeg-0.8.6/gst-libs/ext/ffmpeg/libavcodec/shorten.c.cve-2006-4800 2005-04-21 13:01:29.000000000 -0600 +++ gst-ffmpeg-0.8.6/gst-libs/ext/ffmpeg/libavcodec/shorten.c 2006-09-21 14:45:54.000000000 -0600 @@ -106,18 +106,27 @@ static int shorten_decode_init(AVCodecCo return 0; } -static void allocate_buffers(ShortenContext *s) +static int allocate_buffers(ShortenContext *s) { int i, chan; for (chan=0; chan<s->channels; chan++) { + if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){ + av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n"); + return -1; + } + if(s->blocksize + s->nwrap >= UINT_MAX/sizeof(int32_t) || s->blocksize + s->nwrap <= (unsigned)s->nwrap){ + av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n"); + return -1; + } + s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean)); s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); for (i=0; i<s->nwrap; i++) s->decoded[chan][i] = 0; s->decoded[chan] += s->nwrap; - } + return 0; } --- gst-ffmpeg-0.8.6/gst-libs/ext/ffmpeg/libavcodec/vorbis.c.cve-2006-4800 2005-07-20 09:39:33.000000000 -0600 +++ gst-ffmpeg-0.8.6/gst-libs/ext/ffmpeg/libavcodec/vorbis.c 2006-09-21 14:45:16.000000000 -0600 @@ -743,10 +743,17 @@ static int vorbis_parse_id_hdr(vorbis_co bl1=get_bits(gb, 4); vc->blocksize_0=(1<<bl0); vc->blocksize_1=(1<<bl1); - if (bl0>13 || bl0<6 || bl1>13 || bl1<6) { + if (bl0>13 || bl0<6 || bl1>13 || bl1<6 || bl1<bl0) { av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis id header packet corrupt (illegal blocksize). \n"); return 3; } + // output format int16 + if (vc->blocksize_1/2 * vc->audio_channels * 2 > + AVCODEC_MAX_AUDIO_FRAME_SIZE) { + av_log(vc->avccontext, AV_LOG_ERROR, "Vorbis channel count makes " + "output packets too large.\n"); + return 4; + } vc->swin=vwin[bl0-6]; vc->lwin=vwin[bl1-6];