aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZdenek Kabelac <kabi@informatics.muni.cz>2001-10-23 19:58:30 +0000
committerZdenek Kabelac <kabi@informatics.muni.cz>2001-10-23 19:58:30 +0000
commitde5123dc35da1baa2028c4f26b2d756f6f0451e2 (patch)
treebf2cb2f3603e94b30e43f4fbe5baa627ec5aa2fa
parent123ba0716e79b4fbe4f8e9f7fd501a2bd63d1998 (diff)
downloadffmpeg-de5123dc35da1baa2028c4f26b2d756f6f0451e2.tar.gz
* fixes to avoid crash when broken mp3 header is found
Originally committed as revision 182 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r--libavcodec/mpegaudiodec.c12
1 files changed, 10 insertions, 2 deletions
diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
index 80a145b82f..38f21cacc4 100644
--- a/libavcodec/mpegaudiodec.c
+++ b/libavcodec/mpegaudiodec.c
@@ -985,6 +985,8 @@ static int decode_header(MPADecodeContext *s, UINT32 header)
/* extract frequency */
sample_rate_index = (header >> 10) & 3;
sample_rate = mpa_freq_tab[sample_rate_index] >> (s->lsf + mpeg25);
+ if (sample_rate == 0)
+ return 1;
sample_rate_index += 3 * (s->lsf + mpeg25);
s->sample_rate_index = sample_rate_index;
s->error_protection = ((header >> 16) & 1) ^ 1;
@@ -2280,7 +2282,7 @@ static int decode_frame(AVCodecContext * avctx,
(s->inbuf[2] << 8) | s->inbuf[3];
if (check_header(header) < 0) {
/* no sync found : move by one byte (inefficient, but simple!) */
- memcpy(s->inbuf, s->inbuf + 1, HEADER_SIZE - 1);
+ memcpy(s->inbuf, s->inbuf + 1, s->inbuf_ptr - s->inbuf);
s->inbuf_ptr--;
dprintf("skip %x\n", header);
/* reset free format frame size to give a chance
@@ -2290,6 +2292,8 @@ static int decode_frame(AVCodecContext * avctx,
if (decode_header(s, header) == 1) {
/* free format: compute frame size */
s->frame_size = -1;
+ memcpy(s->inbuf, s->inbuf + 1, s->inbuf_ptr - s->inbuf);
+ s->inbuf_ptr--;
} else {
/* update codec info */
avctx->sample_rate = s->sample_rate;
@@ -2350,14 +2354,18 @@ static int decode_frame(AVCodecContext * avctx,
buf_size -= len;
}
} else if (len < s->frame_size) {
+ if (s->frame_size > MPA_MAX_CODED_FRAME_SIZE)
+ s->frame_size = MPA_MAX_CODED_FRAME_SIZE;
len = s->frame_size - len;
if (len > buf_size)
len = buf_size;
-
+ else if (len > 0)
+ {
memcpy(s->inbuf_ptr, buf_ptr, len);
buf_ptr += len;
s->inbuf_ptr += len;
buf_size -= len;
+ }
} else {
out_size = mp_decode_frame(s, out_samples);
s->inbuf_ptr = s->inbuf;