alsdec: check block length

Fix writing over the end

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Addresses: CVE-2013-0845

diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index 782a1b8..f7dee7d 100644 (file)
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -1376,6 +1376,11 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
 
         for (b = 0; b < ctx->num_blocks; b++) {
             bd.block_length = div_blocks[b];
+            if (bd.block_length <= 0) {
+                av_log(ctx->avctx, AV_LOG_WARNING,
+                       "Invalid block length %d in channel data!\n", bd.block_length);
+                continue;
+            }
 
             for (c = 0; c < avctx->channels; c++) {
                 bd.const_block = ctx->const_block + c;