Fix out of bound reads due to integer overflow in the ADPCM IMA Electronic Arts EACS decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 346876ec168affe7c21be88d8f1acf1a75cc8409)
author: Laurent Aimar <fenrir@videolan.org> 2011-10-01 00:45:02 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2011-10-01 21:03:35 +0200
commit: 802045777afe0c04cc42ef11f59e273239faaa99 (patch)
tree: 15648d1953bdcdb1c95114a55c44049cf466b8b5
parent: e8fd4a43ba758adb9378afe2cde4a5b9d4bda357 (diff)
download: ffmpeg-802045777afe0c04cc42ef11f59e273239faaa99.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index ba312558b0..de7bc7a45b 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -1333,10 +1333,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
             buf_size -= 128;
         }
         break;
-    case CODEC_ID_ADPCM_IMA_EA_EACS:
+    case CODEC_ID_ADPCM_IMA_EA_EACS: {
+        unsigned header_size = 4 + (8<<st);
         samples_in_chunk = bytestream_get_le32(&src) >> (1-st);
 
-        if (samples_in_chunk > buf_size-4-(8<<st)) {
+        if (buf_size < header_size || samples_in_chunk > buf_size - header_size) {
             src += buf_size - 4;
             break;
         }
@@ -1351,6 +1352,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
             *samples++ = adpcm_ima_expand_nibble(&c->status[st], *src&0x0F, 3);
         }
         break;
+    }
     case CODEC_ID_ADPCM_IMA_EA_SEAD:
         for (; src < buf+buf_size; src++) {
             *samples++ = adpcm_ima_expand_nibble(&c->status[0], src[0] >> 4, 6);
author	Laurent Aimar <fenrir@videolan.org>	2011-10-01 00:45:02 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2011-10-01 21:03:35 +0200
commit	802045777afe0c04cc42ef11f59e273239faaa99 (patch)
tree	15648d1953bdcdb1c95114a55c44049cf466b8b5
parent	e8fd4a43ba758adb9378afe2cde4a5b9d4bda357 (diff)
download	ffmpeg-802045777afe0c04cc42ef11f59e273239faaa99.tar.gz