Fixed overreads in TTA decoder with corrupted bistreams.

Originally committed as revision 22176 to svn://svn.ffmpeg.org/ffmpeg/trunk
author: Laurent Aimar <fenrir@videolan.org> 2010-03-03 19:31:46 +0000
committer: Laurent Aimar <fenrir@videolan.org> 2010-03-03 19:31:46 +0000
commit: a9837b58e1b060ed31753821536de128a0deaf26 (patch)
tree: ab1ed727b7e10cb03c913f079e5c9524b151d938
parent: 19c8c4ecf4e26762327a472dcf34132ceb196e30 (diff)
download: ffmpeg-a9837b58e1b060ed31753821536de128a0deaf26.tar.gz
1 files changed, 9 insertions, 2 deletions
diff --git a/libavcodec/tta.c b/libavcodec/tta.c
index b26724b528..7dd4cc5059 100644
--- a/libavcodec/tta.c
+++ b/libavcodec/tta.c
@@ -332,9 +332,14 @@ static int tta_decode_frame(AVCodecContext *avctx,
                 unary--;
             }
 
-            if (k)
+            if (get_bits_left(&s->gb) < k)
+                return -1;
+
+            if (k) {
+                if (k > MIN_CACHE_BITS)
+                    return -1;
                 value = (unary << k) + get_bits(&s->gb, k);
-            else
+            } else
                 value = unary;
 
             // FIXME: copy paste from original
@@ -404,6 +409,8 @@ static int tta_decode_frame(AVCodecContext *avctx,
             }
         }
 
+        if (get_bits_left(&s->gb) < 32)
+            return -1;
         skip_bits(&s->gb, 32); // frame crc
 
         // convert to output buffer
author	Laurent Aimar <fenrir@videolan.org>	2010-03-03 19:31:46 +0000
committer	Laurent Aimar <fenrir@videolan.org>	2010-03-03 19:31:46 +0000
commit	a9837b58e1b060ed31753821536de128a0deaf26 (patch)
tree	ab1ed727b7e10cb03c913f079e5c9524b151d938
parent	19c8c4ecf4e26762327a472dcf34132ceb196e30 (diff)
download	ffmpeg-a9837b58e1b060ed31753821536de128a0deaf26.tar.gz