wmavoice: limit wmavoice_decode_packet return value to packet size

Claiming to have decoded more bytes than the packet size is wrong. Reviewed-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 2a4700a4f03280fa8ba4fc0f8a9987bb550f0d1e) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2015-06-28 12:40:12 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2015-07-18 20:23:45 +0200
commit: 254fabe758a476587cefe96c49dbd8c8c3d575ac (patch)
tree: 48423ffa3bf83b970a14bae19189b74d2e4a14ac
parent: d1f8eaf3d2b0b845b7b50e3a82267e2acd7ada02 (diff)
download: ffmpeg-254fabe758a476587cefe96c49dbd8c8c3d575ac.tar.gz
1 files changed, 16 insertions, 2 deletions
diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
index ae88d4ec80..fff1aa87ae 100644
--- a/libavcodec/wmavoice.c
+++ b/libavcodec/wmavoice.c
@@ -1982,7 +1982,14 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data,
                     *got_frame_ptr) {
                     cnt += s->spillover_nbits;
                     s->skip_bits_next = cnt & 7;
-                    return cnt >> 3;
+                    res = cnt >> 3;
+                    if (res > avpkt->size) {
+                        av_log(ctx, AV_LOG_ERROR,
+                               "Trying to skip %d bytes in packet of size %d\n",
+                               res, avpkt->size);
+                        return AVERROR_INVALIDDATA;
+                    }
+                    return res;
                 } else
                     skip_bits_long (gb, s->spillover_nbits - cnt +
                                     get_bits_count(gb)); // resync
@@ -2001,7 +2008,14 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data,
     } else if (*got_frame_ptr) {
         int cnt = get_bits_count(gb);
         s->skip_bits_next = cnt & 7;
-        return cnt >> 3;
+        res = cnt >> 3;
+        if (res > avpkt->size) {
+            av_log(ctx, AV_LOG_ERROR,
+                   "Trying to skip %d bytes in packet of size %d\n",
+                   res, avpkt->size);
+            return AVERROR_INVALIDDATA;
+        }
+        return res;
     } else if ((s->sframe_cache_size = pos) > 0) {
         /* rewind bit reader to start of last (incomplete) superframe... */
         init_get_bits(gb, avpkt->data, size << 3);
author	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2015-06-28 12:40:12 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2015-07-18 20:23:45 +0200
commit	254fabe758a476587cefe96c49dbd8c8c3d575ac (patch)
tree	48423ffa3bf83b970a14bae19189b74d2e4a14ac
parent	d1f8eaf3d2b0b845b7b50e3a82267e2acd7ada02 (diff)
download	ffmpeg-254fabe758a476587cefe96c49dbd8c8c3d575ac.tar.gz