diff options
| author | Kostya Shishkov <kostya.shishkov@gmail.com> | 2007-09-13 05:59:58 +0000 |
|---|---|---|
| committer | Kostya Shishkov <kostya.shishkov@gmail.com> | 2007-09-13 05:59:58 +0000 |
| commit | e938637b2ca7587c2b349458189f1f7d7da87040 (patch) | |
| tree | 0b8a5976d52bf7ead0293af75a4aaf5c2f6e21fd | |
| parent | bf4a1f17ee9237b6efd4250cf894e274afc31a5f (diff) | |
| download | ffmpeg-e938637b2ca7587c2b349458189f1f7d7da87040.tar.gz | |
Add checks on input/output buffers size for some audio decoders
Originally committed as revision 10485 to svn://svn.ffmpeg.org/ffmpeg/trunk
| -rw-r--r-- | libavcodec/smacker.c | 4 | ||||
| -rw-r--r-- | libavcodec/truespeech.c | 8 | ||||
| -rw-r--r-- | libavcodec/ws-snd1.c | 8 |
3 files changed, 17 insertions, 3 deletions
diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 5d9f5f2c53..e185f4d54f 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -590,6 +590,10 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } stereo = get_bits1(&gb); bits = get_bits1(&gb); + if ((unp_size << !bits) > *data_size) { + av_log(avctx, AV_LOG_ERROR, "Frame is too large to fit in buffer\n"); + return -1; + } memset(vlc, 0, sizeof(VLC) * 4); memset(h, 0, sizeof(HuffContext) * 4); diff --git a/libavcodec/truespeech.c b/libavcodec/truespeech.c index a03f2a0ced..eafbdf7a01 100644 --- a/libavcodec/truespeech.c +++ b/libavcodec/truespeech.c @@ -333,15 +333,17 @@ static int truespeech_decode_frame(AVCodecContext *avctx, { TSContext *c = avctx->priv_data; - int i; + int i, j; short *samples = data; int consumed = 0; int16_t out_buf[240]; + int iterations; if (!buf_size) return 0; - while (consumed < buf_size) { + iterations = FFMIN(buf_size / 32, *data_size / 480); + for(j = 0; j < iterations; j++) { truespeech_read_frame(c, buf + consumed); consumed += 32; @@ -366,7 +368,7 @@ static int truespeech_decode_frame(AVCodecContext *avctx, *data_size = consumed * 15; - return buf_size; + return consumed; } AVCodec truespeech_decoder = { diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c index 3624909a30..a419e3dfb5 100644 --- a/libavcodec/ws-snd1.c +++ b/libavcodec/ws-snd1.c @@ -62,6 +62,14 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, in_size = AV_RL16(&buf[2]); buf += 4; + if (out_size > *data_size) { + av_log(avctx, AV_LOG_ERROR, "Frame is too large to fit in buffer\n"); + return -1; + } + if (in_size > buf_size) { + av_log(avctx, AV_LOG_ERROR, "Frame data is larger than input buffer\n"); + return -1; + } if (in_size == out_size) { for (i = 0; i < out_size; i++) *samples++ = (*buf++ - 0x80) << 8; |