aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVitor Sessak <vitor1001@gmail.com>2012-02-29 22:09:10 +0100
committerRonald S. Bultje <rsbultje@gmail.com>2012-02-29 14:13:58 -0800
commit882abda5a26ffb8e3d1c5852dfa7cdad0a291d2d (patch)
tree997857a0db048b4b619410539acd1756ad532471
parent8a9faf33f2b4f40afbc3393b2be49867cea0c92d (diff)
downloadffmpeg-882abda5a26ffb8e3d1c5852dfa7cdad0a291d2d.tar.gz
amrnbdec: check frame size before decoding.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
-rw-r--r--libavcodec/amrnbdec.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/libavcodec/amrnbdec.c b/libavcodec/amrnbdec.c
index fff0e7248a..a7d0b4e337 100644
--- a/libavcodec/amrnbdec.c
+++ b/libavcodec/amrnbdec.c
@@ -200,6 +200,10 @@ static enum Mode unpack_bitstream(AMRContext *p, const uint8_t *buf,
p->bad_frame_indicator = !get_bits1(&gb); // quality bit
skip_bits(&gb, 2); // two padding bits
+ if (mode >= N_MODES || buf_size < frame_sizes_nb[mode] + 1) {
+ return NO_DATA;
+ }
+
if (mode < MODE_DTX)
ff_amr_bit_reorder((uint16_t *) &p->frame, sizeof(AMRNBFrame), buf + 1,
amr_unpacking_bitmaps_per_mode[mode]);
@@ -947,6 +951,10 @@ static int amrnb_decode_frame(AVCodecContext *avctx, void *data,
buf_out = (float *)p->avframe.data[0];
p->cur_frame_mode = unpack_bitstream(p, buf, buf_size);
+ if (p->cur_frame_mode == NO_DATA) {
+ av_log(avctx, AV_LOG_ERROR, "Corrupt bitstream\n");
+ return AVERROR_INVALIDDATA;
+ }
if (p->cur_frame_mode == MODE_DTX) {
av_log_missing_feature(avctx, "dtx mode", 1);
return -1;