--- MPlayer-1.0pre7/libavcodec/4xm.c.cve-2006-4800 2005-04-16 14:41:13.000000000 -0600 +++ MPlayer-1.0pre7/libavcodec/4xm.c 2006-09-25 11:54:03.000000000 -0600 @@ -606,7 +606,7 @@ static int decode_frame(AVCodecContext * int i, frame_4cc, frame_size; frame_4cc= get32(buf); - if(buf_size != get32(buf+4)+8){ + if(buf_size != get32(buf+4)+8 || buf_size < 20){ av_log(f->avctx, AV_LOG_ERROR, "size missmatch %d %d\n", buf_size, get32(buf+4)); } @@ -634,6 +634,10 @@ static int decode_frame(AVCodecContext * cfrm= &f->cfrm[i]; cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE); + if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL + av_log(f->avctx, AV_LOG_ERROR, "realloc falure"); + return -1; + } memcpy(cfrm->data + cfrm->size, buf+20, data_size); cfrm->size += data_size; --- MPlayer-1.0pre7/libavcodec/alac.c.cve-2006-4800 2005-04-16 14:41:13.000000000 -0600 +++ MPlayer-1.0pre7/libavcodec/alac.c 2006-09-25 11:52:50.000000000 -0600 @@ -92,6 +92,10 @@ void alac_set_info(ALACContext *alac) ptr += 4; /* alac */ ptr += 4; /* 0 ? */ + if(BE_32(ptr) >= UINT_MAX/4){ + av_log(alac->avctx, AV_LOG_ERROR, "setinfo_max_samples_per_frame too large\n"); + return -1; + } alac->setinfo_max_samples_per_frame = BE_32(ptr); /* buffer size / 2 ? */ ptr += 4; alac->setinfo_7a = *ptr++; @@ -110,6 +114,8 @@ void alac_set_info(ALACContext *alac) ptr += 4; allocate_buffers(alac); + + return 0; } /* hideously inefficient. could use a bitmask search, --- MPlayer-1.0pre7/libavcodec/dtsdec.c.cve-2006-4800 2005-04-16 14:41:13.000000000 -0600 +++ MPlayer-1.0pre7/libavcodec/dtsdec.c 2006-09-25 11:56:24.000000000 -0600 @@ -33,8 +33,7 @@ #include <malloc.h> #endif -#define INBUF_SIZE 4096 -#define BUFFER_SIZE 4096 +#define BUFFER_SIZE 18726 #define HEADER_SIZE 14 #ifdef LIBDTS_FIXED @@ -231,9 +230,11 @@ dts_decode_frame (AVCodecContext *avctx, memcpy (bufptr, start, len); bufptr += len; start += len; - if (bufptr == bufpos) - { - if (bufpos == buf + HEADER_SIZE) + if (bufptr != bufpos) + return start - buff; + if (bufpos != buf + HEADER_SIZE) + break; + { int length; @@ -248,7 +249,8 @@ dts_decode_frame (AVCodecContext *avctx, } bufpos = buf + length; } - else + } + { level_t level; sample_t bias; @@ -280,16 +282,14 @@ dts_decode_frame (AVCodecContext *avctx, } bufptr = buf; bufpos = buf + HEADER_SIZE; - continue; + return start-buff; error: av_log (NULL, AV_LOG_ERROR, "error\n"); bufptr = buf; bufpos = buf + HEADER_SIZE; } - } - } - return buff_size; + return start-buff; } static int @@ -297,7 +297,7 @@ dts_decode_init (AVCodecContext *avctx) { avctx->priv_data = dts_init (0); if (avctx->priv_data == NULL) - return 1; + return -1; return 0; } --- MPlayer-1.0pre7/libavcodec/shorten.c.cve-2006-4800 2005-04-16 14:41:13.000000000 -0600 +++ MPlayer-1.0pre7/libavcodec/shorten.c 2006-09-25 11:52:50.000000000 -0600 @@ -106,18 +106,27 @@ static int shorten_decode_init(AVCodecCo return 0; } -static void allocate_buffers(ShortenContext *s) +static int allocate_buffers(ShortenContext *s) { int i, chan; for (chan=0; chan<s->channels; chan++) { + if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){ + av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n"); + return -1; + } + if(s->blocksize + s->nwrap >= UINT_MAX/sizeof(int32_t) || s->blocksize + s->nwrap <= (unsigned)s->nwrap){ + av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n"); + return -1; + } + s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean)); s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); for (i=0; i<s->nwrap; i++) s->decoded[chan][i] = 0; s->decoded[chan] += s->nwrap; - } + return 0; } --- MPlayer-1.0pre7/libavcodec/snow.c.cve-2006-4800 2006-09-25 11:57:56.000000000 -0600 +++ MPlayer-1.0pre7/libavcodec/snow.c 2006-09-25 12:01:17.000000000 -0600 @@ -3162,6 +3162,12 @@ static int decode_header(SnowContext *s) s->qbias= get_symbol(&s->c, s->header_state, 1); s->block_max_depth= get_symbol(&s->c, s->header_state, 0); + if(s->block_max_depth > 1 || s->block_max_depth < 0){ + av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large", s->block_max_depth); + s->block_max_depth= 0; + return -1; + } + return 0; }