diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2014-04-30 04:12:29 +0200 |
---|---|---|
committer | Carl Eugen Hoyos <cehoyos@ag.or.at> | 2014-05-01 18:22:19 +0200 |
commit | 43d64829e6219aa1b26add0e02b3f0d955116f07 (patch) | |
tree | 9c29a27c2fda8cb37b451a5471e262ac11629548 | |
parent | 4a479fd3e6a7776e2302405d9a177e5f1ecc5acb (diff) | |
download | ffmpeg-43d64829e6219aa1b26add0e02b3f0d955116f07.tar.gz |
avcodec/vorbisdec: try to workaround libvorbisenc bug
Fixes Ticket3590
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0a266cb55af9794fc5cff695d35cae4111e4334f)
-rw-r--r-- | libavcodec/vorbisdec.c | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index d928446722..dfffc6f046 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -701,8 +701,7 @@ static int vorbis_parse_setup_hdr_residues(vorbis_context *vc) res_setup->partition_size = get_bits(gb, 24) + 1; /* Validations to prevent a buffer overflow later. */ if (res_setup->begin>res_setup->end || - res_setup->end > (res_setup->type == 2 ? vc->audio_channels : 1) * vc->blocksize[1] / 2 || - (res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) { + (res_setup->end-res_setup->begin) / res_setup->partition_size > FFMIN(V_MAX_PARTITIONS, 65535)) { av_log(vc->avctx, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %"PRIu16", %"PRIu32", %"PRIu32", %u, %"PRIu32"\n", res_setup->type, res_setup->begin, res_setup->end, @@ -1372,6 +1371,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, unsigned pass, ch_used, i, j, k, l; unsigned max_output = (ch - 1) * vlen; int ptns_to_read = vr->ptns_to_read; + int libvorbis_bug = 0; if (vr_type == 2) { for (j = 1; j < ch; ++j) @@ -1386,8 +1386,13 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, } if (max_output > ch_left * vlen) { - av_log(vc->avctx, AV_LOG_ERROR, "Insufficient output buffer\n"); - return AVERROR_INVALIDDATA; + if (max_output <= ch_left * vlen + vr->partition_size*ch_used/ch) { + ptns_to_read--; + libvorbis_bug = 1; + } else { + av_log(vc->avctx, AV_LOG_ERROR, "Insufficient output buffer\n"); + return AVERROR_INVALIDDATA; + } } av_dlog(NULL, " residue type 0/1/2 decode begin, ch: %d cpc %d \n", ch, c_p_c); @@ -1496,6 +1501,14 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, voffset += vr->partition_size; } } + if (libvorbis_bug && !pass) { + for (j = 0; j < ch_used; ++j) { + if (!do_not_decode[j]) { + get_vlc2(&vc->gb, vc->codebooks[vr->classbook].vlc.table, + vc->codebooks[vr->classbook].nb_bits, 3); + } + } + } } return 0; } |