From d65d8347314b645051e336aed141aaf32a6c0d02 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Apr 2012 16:32:56 +0200 Subject: [PATCH] wmalosslessdec: Reset put bit buffer when num_saved_bits is reset. Fixes CVE-2012-2799 CC:libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov --- libavcodec/wmalosslessdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index b97f39752c..df025282ae 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1230,6 +1230,7 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, * to decode incomplete frames in the s->len_prefix == 0 case. */ s->num_saved_bits = 0; s->packet_loss = 0; + init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE); } } else { @@ -1282,6 +1283,7 @@ static void flush(AVCodecContext *avctx) s->next_packet_start = 0; s->cdlms[0][0].order = 0; s->frame.nb_samples = 0; + init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE); } AVCodec ff_wmalossless_decoder = {