packages/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ffmpeg/backport-CVE-2024-35369.patch
李宁杰 34e1436191 fix CVE-2024-36619 CVE-2024-35369 
(cherry picked from commit b9fac518b6655b417c4020d28a7a61eabaa3c105)
2024-12-18 13:52:02 +08:00

32 lines
1.1 KiB
Diff
Raw Permalink Blame History

From 0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c Mon Sep 17 00:00:00 2001
From: James Almer <jamrial@gmail.com>
Date: Sat, 17 Feb 2024 09:45:57 -0300
Subject: [PATCH] avcodec/speexdec: further check for sane frame_size values
Prevent potential integer overflows.
Signed-off-by: James Almer <jamrial@gmail.com>
---
libavcodec/speexdec.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c
index 08c7e77..46d2587 100644
--- a/libavcodec/speexdec.c
+++ b/libavcodec/speexdec.c
@@ -1420,8 +1420,10 @@ static int parse_speex_extradata(AVCodecContext *avctx,
return AVERROR_INVALIDDATA;
s->bitrate = bytestream_get_le32(&buf);
s->frame_size = bytestream_get_le32(&buf);
- if (s->frame_size < NB_FRAME_SIZE << s->mode)
+ if (s->frame_size < NB_FRAME_SIZE << s->mode ||
+ s->frame_size > INT32_MAX >> s->mode)
return AVERROR_INVALIDDATA;
+ s->frame_size <<= s->mode;
s->vbr = bytestream_get_le32(&buf);
s->frames_per_packet = bytestream_get_le32(&buf);
if (s->frames_per_packet <= 0 ||
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink