diff options
author | Justin Ruggles <justin.ruggles@gmail.com> | 2011-10-11 14:12:54 -0400 |
---|---|---|
committer | Justin Ruggles <justin.ruggles@gmail.com> | 2011-10-28 11:47:28 -0400 |
commit | 5b8009f4c80d8fd96523c8c163441ad4011ad472 (patch) | |
tree | af39a3486932cd7e6decfdca8456a296d0c63c4f | |
parent | a4c32c9a63142b602820800742f2d543b58cd278 (diff) | |
download | ffmpeg-5b8009f4c80d8fd96523c8c163441ad4011ad472.tar.gz |
apedec: do not keep incrementing the input data pointer past the end of the
buffer during entropy decoding.
The pointer address could overflow, which would likely segfault. Instead set
the context error flag to indicate that the decoder tried to read past the
end of the packet data.
-rw-r--r-- | libavcodec/apedec.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index ef990bf693..133eb2da58 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -247,9 +247,12 @@ static inline void range_dec_normalize(APEContext *ctx) { while (ctx->rc.range <= BOTTOM_VALUE) { ctx->rc.buffer <<= 8; - if(ctx->ptr < ctx->data_end) + if(ctx->ptr < ctx->data_end) { ctx->rc.buffer += *ctx->ptr; - ctx->ptr++; + ctx->ptr++; + } else { + ctx->error = 1; + } ctx->rc.low = (ctx->rc.low << 8) | ((ctx->rc.buffer >> 1) & 0xFF); ctx->rc.range <<= 8; } @@ -893,7 +896,7 @@ static int ape_decode_frame(AVCodecContext *avctx, ape_unpack_stereo(s, blockstodecode); emms_c(); - if(s->error || s->ptr > s->data_end){ + if (s->error) { s->samples=0; av_log(avctx, AV_LOG_ERROR, "Error decoding frame\n"); return AVERROR_INVALIDDATA; |