aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStefan Gehrer <stefan.gehrer@gmx.de>2009-02-03 17:56:24 +0000
committerStefan Gehrer <stefan.gehrer@gmx.de>2009-02-03 17:56:24 +0000
commitcc55c464987c0bfceef32efffd73069509ea784c (patch)
treec19516c46f48673812edae69e0c3d2cb8eaaa966
parent61eb8cc420e5270346c10408dcdbe3318c5b1584 (diff)
downloadffmpeg-cc55c464987c0bfceef32efffd73069509ea784c.tar.gz
check validity of pointer srcC
Originally committed as revision 16973 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r--libavcodec/adpcm.c12
1 files changed, 9 insertions, 3 deletions
diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index 5ccddc653d..415ec99b3d 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -1285,6 +1285,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
unsigned int channel;
uint16_t *samplesC;
const uint8_t *srcC;
+ const uint8_t *src_end = buf + buf_size;
samples_in_chunk = (big_endian ? bytestream_get_be32(&src)
: bytestream_get_le32(&src)) / 28;
@@ -1295,9 +1296,12 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
}
for (channel=0; channel<avctx->channels; channel++) {
- srcC = src + (avctx->channels-channel) * 4;
- srcC += (big_endian ? bytestream_get_be32(&src)
- : bytestream_get_le32(&src));
+ int32_t offset = (big_endian ? bytestream_get_be32(&src)
+ : bytestream_get_le32(&src))
+ + (avctx->channels-channel-1) * 4;
+
+ if ((offset < 0) || (offset >= src_end - src - 4)) break;
+ srcC = src + offset;
samplesC = samples + channel;
if (avctx->codec->id == CODEC_ID_ADPCM_EA_R1) {
@@ -1311,6 +1315,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
for (count1=0; count1<samples_in_chunk; count1++) {
if (*srcC == 0xEE) { /* only seen in R2 and R3 */
srcC++;
+ if (srcC > src_end - 30*2) break;
current_sample = (int16_t)bytestream_get_be16(&srcC);
previous_sample = (int16_t)bytestream_get_be16(&srcC);
@@ -1323,6 +1328,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
coeff2 = ea_adpcm_table[(*srcC>>4) + 4];
shift = (*srcC++ & 0x0F) + 8;
+ if (srcC > src_end - 14) break;
for (count2=0; count2<28; count2++) {
if (count2 & 1)
next_sample = (int32_t)((*srcC++ & 0x0F) << 28) >> shift;