[MPlayer-cvslog] CVS: main/mp3lib layer2.c,1.6,1.7

Jindrich Makovicka CVS syncmail at mplayerhq.hu
Sun Apr 10 18:42:27 CEST 2005


CVS change done by Jindrich Makovicka CVS

Update of /cvsroot/mplayer/main/mp3lib
In directory mail:/var2/tmp/cvs-serv28935

Modified Files:
	layer2.c 
Log Message:
Security fixes ported from Debian

Fix insufficient validation of MPEG header values, discovered by Yuri D'Elia
(CAN-2004-0991).

Fix buffer overflow in layer2 decoder (CVE ID CAN-2004-0805).


Index: layer2.c
===================================================================
RCS file: /cvsroot/mplayer/main/mp3lib/layer2.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- layer2.c	14 Sep 2004 21:02:19 -0000	1.6
+++ layer2.c	10 Apr 2005 16:42:25 -0000	1.7
@@ -263,7 +263,7 @@
        { alloc_0, alloc_1, alloc_2, alloc_3 , alloc_4 };
   static int sblims[5] = { 27 , 30 , 8, 12 , 30 };
 
-  if(fr->lsf)
+  if(fr->sampling_frequency >= 3)	/* Or equivalent: (fr->lsf == 1) */
     table = 4;
   else
     table = translate[fr->sampling_frequency][2-fr->stereo][fr->bitrate_index];
@@ -288,6 +288,11 @@
   fr->jsbound = (fr->mode == MPG_MD_JOINT_STEREO) ?
      (fr->mode_ext<<2)+4 : fr->II_sblimit;
 
+  if (fr->jsbound > fr->II_sblimit) {
+	  fprintf(stderr, "Truncating stereo boundary to sideband limit.\n");
+	  fr->jsbound=fr->II_sblimit;
+  }
+  
   if(stereo == 1 || single == 3)
     single = 0;
 




More information about the MPlayer-cvslog mailing list