aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJustin Ruggles <justin.ruggles@gmail.com>2011-10-11 14:12:54 -0400
committerJustin Ruggles <justin.ruggles@gmail.com>2011-10-28 11:47:28 -0400
commit5b8009f4c80d8fd96523c8c163441ad4011ad472 (patch)
treeaf39a3486932cd7e6decfdca8456a296d0c63c4f
parenta4c32c9a63142b602820800742f2d543b58cd278 (diff)
downloadffmpeg-5b8009f4c80d8fd96523c8c163441ad4011ad472.tar.gz
apedec: do not keep incrementing the input data pointer past the end of the
buffer during entropy decoding. The pointer address could overflow, which would likely segfault. Instead set the context error flag to indicate that the decoder tried to read past the end of the packet data.
-rw-r--r--libavcodec/apedec.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index ef990bf693..133eb2da58 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -247,9 +247,12 @@ static inline void range_dec_normalize(APEContext *ctx)
{
while (ctx->rc.range <= BOTTOM_VALUE) {
ctx->rc.buffer <<= 8;
- if(ctx->ptr < ctx->data_end)
+ if(ctx->ptr < ctx->data_end) {
ctx->rc.buffer += *ctx->ptr;
- ctx->ptr++;
+ ctx->ptr++;
+ } else {
+ ctx->error = 1;
+ }
ctx->rc.low = (ctx->rc.low << 8) | ((ctx->rc.buffer >> 1) & 0xFF);
ctx->rc.range <<= 8;
}
@@ -893,7 +896,7 @@ static int ape_decode_frame(AVCodecContext *avctx,
ape_unpack_stereo(s, blockstodecode);
emms_c();
- if(s->error || s->ptr > s->data_end){
+ if (s->error) {
s->samples=0;
av_log(avctx, AV_LOG_ERROR, "Error decoding frame\n");
return AVERROR_INVALIDDATA;