opensource/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-06-26 10:22:34 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix input buffer size check in adpcm_ea decoder.

Browse Source 
Unfortunately the output buffer size check assumes that the
input buffer is never over-consumed, thus this actually
also allowed to write outside the output buffer if "lucky".

Based on:
git.videolan.org/ffmpeg.git
commit 701d0eb185192542c4a17f296e39e37cedf7abc6
This commit is contained in:
Reimar Döffinger
2011-09-07 22:14:07 -04:00
committed by Justin Ruggles
parent c2d3f56107
commit ffe92ff9f0
1 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
libavcodec/adpcm.c
View File

@ -633,11 +633,17 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
} }
break; break;
case CODEC_ID_ADPCM_EA: case CODEC_ID_ADPCM_EA:
if (buf_size < 4 || AV_RL32(src) >= ((buf_size - 12) * 2)) { /* Each EA ADPCM frame has a 12-byte header followed by 30-byte pieces,
src += buf_size; each coding 28 stereo samples. */
break; if (buf_size < 12) {
av_log(avctx, AV_LOG_ERROR, "frame too small\n");
return AVERROR(EINVAL);
} }
samples_in_chunk = AV_RL32(src); samples_in_chunk = AV_RL32(src);
if (samples_in_chunk / 28 > (buf_size - 12) / 30) {
av_log(avctx, AV_LOG_ERROR, "invalid frame\n");
return AVERROR(EINVAL);
}
src += 4; src += 4;
current_left_sample = (int16_t)bytestream_get_le16(&src); current_left_sample = (int16_t)bytestream_get_le16(&src);
previous_left_sample = (int16_t)bytestream_get_le16(&src); previous_left_sample = (int16_t)bytestream_get_le16(&src);