nsvdec: Fix use of uninitialized streams.

Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write) Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-01-24 22:20:26 +01:00 · 2012-01-24 22:20:26 +01:00 · 5c011706bc
commit 5c011706bc
parent 7988dd1b9a
1 changed files with 4 additions and 4 deletions
--- a/libavformat/nsvdec.c
+++ b/libavformat/nsvdec.c
@ -606,12 +606,12 @@ null_chunk_retry:
    }

    /* map back streams to v,a */
-    if (s->streams[0])
+    if (s->nb_streams > 0)
        st[s->streams[0]->id] = s->streams[0];
-    if (s->streams[1])
+    if (s->nb_streams > 1)
        st[s->streams[1]->id] = s->streams[1];

-    if (vsize/* && st[NSV_ST_VIDEO]*/) {
+    if (vsize && st[NSV_ST_VIDEO]) {
        nst = st[NSV_ST_VIDEO]->priv_data;
        pkt = &nsv->ahead[NSV_ST_VIDEO];
        av_get_packet(pb, pkt, vsize);
@ -624,7 +624,7 @@ null_chunk_retry:
    if(st[NSV_ST_VIDEO])
        ((NSVStream*)st[NSV_ST_VIDEO]->priv_data)->frame_offset++;

-    if (asize/*st[NSV_ST_AUDIO]*/) {
+    if (asize && st[NSV_ST_AUDIO]) {
        nst = st[NSV_ST_AUDIO]->priv_data;
        pkt = &nsv->ahead[NSV_ST_AUDIO];
        /* read raw audio specific header on the first audio chunk... */