diff options
author | Reimar Döffinger <Reimar.Doeffinger@gmx.de> | 2011-09-07 22:14:07 -0400 |
---|---|---|
committer | Reinhard Tartler <siretart@tauware.de> | 2012-03-18 17:50:17 +0100 |
commit | 282a1a960a75d853928b6b2b2c90951b58cb56dc (patch) | |
tree | 4050ea5618f08b07b8d91a8c6901b2f9281fcfe4 | |
parent | 2ba86066be79d68a3d0927425b407c5149a4a240 (diff) | |
download | ffmpeg-282a1a960a75d853928b6b2b2c90951b58cb56dc.tar.gz |
Fix input buffer size check in adpcm_ea decoder.
Unfortunately the output buffer size check assumes that the
input buffer is never over-consumed, thus this actually
also allowed to write outside the output buffer if "lucky".
Based on:
git.videolan.org/ffmpeg.git
commit 701d0eb185192542c4a17f296e39e37cedf7abc6
(cherry picked from commit ffe92ff9f0c7f390d895de12c8ffef959ced3cd8)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
-rw-r--r-- | libavcodec/adpcm.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 70a5360ce8..277334a65c 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1291,11 +1291,17 @@ static int adpcm_decode_frame(AVCodecContext *avctx, } break; case CODEC_ID_ADPCM_EA: - if (buf_size < 4 || AV_RL32(src) >= ((buf_size - 12) * 2)) { - src += buf_size; - break; + /* Each EA ADPCM frame has a 12-byte header followed by 30-byte pieces, + each coding 28 stereo samples. */ + if (buf_size < 12) { + av_log(avctx, AV_LOG_ERROR, "frame too small\n"); + return AVERROR(EINVAL); } samples_in_chunk = AV_RL32(src); + if (samples_in_chunk / 28 > (buf_size - 12) / 30) { + av_log(avctx, AV_LOG_ERROR, "invalid frame\n"); + return AVERROR(EINVAL); + } src += 4; current_left_sample = (int16_t)bytestream_get_le16(&src); previous_left_sample = (int16_t)bytestream_get_le16(&src); |