diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2015-06-04 22:34:12 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2015-06-10 02:13:12 +0200 |
| commit | 6fd4b2b84f603a0b5721ec1bc965abadb89095e8 (patch) | |
| tree | 10c0b80e7b410347c4c48003568183b23ed1e987 | |
| parent | a3740b6a8644198d9c61f9080f4fa407d37531b8 (diff) | |
| download | ffmpeg-6fd4b2b84f603a0b5721ec1bc965abadb89095e8.tar.gz | |
avcodec/adpcm: Check for overreads
See: vlc ticket 14649
Reported-by: carl
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3c803ed9cb23e5a8d76b6c31d8a8c71cac27e769)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/adpcm.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index dbbb358b44..b16abc9119 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -570,6 +570,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb, case AV_CODEC_ID_ADPCM_IMA_DK4: if (avctx->block_align > 0) buf_size = FFMIN(buf_size, avctx->block_align); + if (buf_size < 4 * ch) + return AVERROR_INVALIDDATA; nb_samples = 1 + (buf_size - 4 * ch) * 2 / ch; break; case AV_CODEC_ID_ADPCM_IMA_RAD: @@ -583,13 +585,15 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb, int bsamples = ff_adpcm_ima_block_samples[avctx->bits_per_coded_sample - 2]; if (avctx->block_align > 0) buf_size = FFMIN(buf_size, avctx->block_align); + if (buf_size < 4 * ch) + return AVERROR_INVALIDDATA; nb_samples = 1 + (buf_size - 4 * ch) / (bsize * ch) * bsamples; break; } case AV_CODEC_ID_ADPCM_MS: if (avctx->block_align > 0) buf_size = FFMIN(buf_size, avctx->block_align); - nb_samples = 2 + (buf_size - 7 * ch) * 2 / ch; + nb_samples = (buf_size - 6 * ch) * 2 / ch; break; case AV_CODEC_ID_ADPCM_SBPRO_2: case AV_CODEC_ID_ADPCM_SBPRO_3: @@ -602,6 +606,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb, case AV_CODEC_ID_ADPCM_SBPRO_4: samples_per_byte = 2; break; } if (!s->status[0].step_index) { + if (buf_size < ch) + return AVERROR_INVALIDDATA; nb_samples++; buf_size -= ch; } @@ -1517,6 +1523,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, *got_frame_ptr = 1; + if (avpkt->size < bytestream2_tell(&gb)) { + av_log(avctx, AV_LOG_ERROR, "Overread of %d < %d\n", avpkt->size, bytestream2_tell(&gb)); + return avpkt->size; + } + return bytestream2_tell(&gb); } |