From ce7aee9b733134649a6ce2fa743e51733f33e67e Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Fri, 17 Feb 2012 14:13:40 -0800
Subject: [PATCH] dpcm: ignore extra unpaired bytes in stereo streams.

Fixes: CVE-2011-3951

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
---
 libavcodec/dpcm.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c
index 1b0f6b005b2..7f5dbfe3b91 100644
--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -183,6 +183,11 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
     int stereo = s->channels - 1;
     int16_t *output_samples;
 
+    if (stereo && (buf_size & 1)) {
+        buf_size--;
+        buf_end--;
+    }
+
     /* calculate output size */
     switch(avctx->codec->id) {
     case CODEC_ID_ROQ_DPCM:
@@ -317,7 +322,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
     *got_frame_ptr   = 1;
     *(AVFrame *)data = s->frame;
 
-    return buf_size;
+    return avpkt->size;
 }
 
 #define DPCM_DECODER(id_, name_, long_name_)                \
-- 
GitLab