aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorReimar Döffinger <Reimar.Doeffinger@gmx.de>2011-09-07 22:14:07 -0400
committerReinhard Tartler <siretart@tauware.de>2012-03-18 17:50:17 +0100
commit282a1a960a75d853928b6b2b2c90951b58cb56dc (patch)
tree4050ea5618f08b07b8d91a8c6901b2f9281fcfe4
parent2ba86066be79d68a3d0927425b407c5149a4a240 (diff)
downloadffmpeg-282a1a960a75d853928b6b2b2c90951b58cb56dc.tar.gz
Fix input buffer size check in adpcm_ea decoder.
Unfortunately the output buffer size check assumes that the input buffer is never over-consumed, thus this actually also allowed to write outside the output buffer if "lucky". Based on: git.videolan.org/ffmpeg.git commit 701d0eb185192542c4a17f296e39e37cedf7abc6 (cherry picked from commit ffe92ff9f0c7f390d895de12c8ffef959ced3cd8) Signed-off-by: Anton Khirnov <anton@khirnov.net>
-rw-r--r--libavcodec/adpcm.c12
1 files changed, 9 insertions, 3 deletions
diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index 70a5360ce8..277334a65c 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -1291,11 +1291,17 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
}
break;
case CODEC_ID_ADPCM_EA:
- if (buf_size < 4 || AV_RL32(src) >= ((buf_size - 12) * 2)) {
- src += buf_size;
- break;
+ /* Each EA ADPCM frame has a 12-byte header followed by 30-byte pieces,
+ each coding 28 stereo samples. */
+ if (buf_size < 12) {
+ av_log(avctx, AV_LOG_ERROR, "frame too small\n");
+ return AVERROR(EINVAL);
}
samples_in_chunk = AV_RL32(src);
+ if (samples_in_chunk / 28 > (buf_size - 12) / 30) {
+ av_log(avctx, AV_LOG_ERROR, "invalid frame\n");
+ return AVERROR(EINVAL);
+ }
src += 4;
current_left_sample = (int16_t)bytestream_get_le16(&src);
previous_left_sample = (int16_t)bytestream_get_le16(&src);