adpcm: check buffer size in Funcom ISS decoder before reading header.

Also use the post-header data size to control termination of the main decoding loop.
author: Justin Ruggles <justin.ruggles@gmail.com> 2011-09-10 14:24:00 -0400
committer: Justin Ruggles <justin.ruggles@gmail.com> 2011-09-29 16:54:01 -0400
commit: 9662539c103d54cacf9adbf1345013e011c08d4f (patch)
tree: 716261bdff68c592f4e6634fadbb53463637d78d
parent: ba5d2890d735961f1e4e8484082287a552cad699 (diff)
download: ffmpeg-9662539c103d54cacf9adbf1345013e011c08d4f.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index e4e0627542..75d32633be 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -593,6 +593,12 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
         }
         break;
     case CODEC_ID_ADPCM_IMA_ISS:
+        n = buf_size - 4 * avctx->channels;
+        if (n < 0) {
+            av_log(avctx, AV_LOG_ERROR, "packet is too small\n");
+            return AVERROR(EINVAL);
+        }
+
         for (channel = 0; channel < avctx->channels; channel++) {
             cs = &c->status[channel];
             cs->predictor  = (int16_t)bytestream_get_le16(&src);
@@ -600,7 +606,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
             src++;
         }
 
-        while (src < buf + buf_size) {
+        while (n-- > 0) {
             uint8_t v1, v2;
             uint8_t v = *src++;
             /* nibbles are swapped for mono */
author	Justin Ruggles <justin.ruggles@gmail.com>	2011-09-10 14:24:00 -0400
committer	Justin Ruggles <justin.ruggles@gmail.com>	2011-09-29 16:54:01 -0400
commit	9662539c103d54cacf9adbf1345013e011c08d4f (patch)
tree	716261bdff68c592f4e6634fadbb53463637d78d
parent	ba5d2890d735961f1e4e8484082287a552cad699 (diff)
download	ffmpeg-9662539c103d54cacf9adbf1345013e011c08d4f.tar.gz