nsvdec: Fix use of uninitialized streams.

Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write) Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: N Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 5c011706) Signed-off-by: N Alex Converse <alex.converse@gmail.com>

nsvdec: Fix use of uninitialized streams.
Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write) Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: N Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 5c011706) Signed-off-by: N Alex Converse <alex.converse@gmail.com>
6a89b41d · Michael Niedermayer · Alex Converse · b7d3dd90 · 6a89b41d
隐藏空白更改
内联并排

Showing with 4 addition and 4 deletion

libavformat/nsvdec.c libavformat/nsvdec.c +4 -4

未找到文件。
--- a/libavformat/nsvdec.c
+++ b/libavformat/nsvdec.c
@@ -605,12 +605,12 @@ null_chunk_retry:
    }

    /* map back streams to v,a */
-    if (s->streams[0])
+    if (s->nb_streams > 0)
        st[s->streams[0]->id] = s->streams[0];
-    if (s->streams[1])
+    if (s->nb_streams > 1)
        st[s->streams[1]->id] = s->streams[1];

-    if (vsize/* && st[NSV_ST_VIDEO]*/) {
+    if (vsize && st[NSV_ST_VIDEO]) {
        nst = st[NSV_ST_VIDEO]->priv_data;
        pkt = &nsv->ahead[NSV_ST_VIDEO];
        av_get_packet(pb, pkt, vsize);
@@ -623,7 +623,7 @@ null_chunk_retry:
    if(st[NSV_ST_VIDEO])
        ((NSVStream*)st[NSV_ST_VIDEO]->priv_data)->frame_offset++;

-    if (asize/*st[NSV_ST_AUDIO]*/) {
+    if (asize && st[NSV_ST_AUDIO]) {
        nst = st[NSV_ST_AUDIO]->priv_data;
        pkt = &nsv->ahead[NSV_ST_AUDIO];
        /* read raw audio specific header on the first audio chunk... */