aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul B Mahol <onemda@gmail.com>2022-11-22 11:27:39 +0100
committerPaul B Mahol <onemda@gmail.com>2022-11-22 20:51:42 +0100
commitabb5ff373d7da5e2246f00448efda47727e8cdb1 (patch)
tree16acdd4aa427bad6a6c62146abf6c5fdcc2d302e
parent9f5a9a749962e10a98ef040f87817ef1fede3df9 (diff)
downloadffmpeg-abb5ff373d7da5e2246f00448efda47727e8cdb1.tar.gz
avcodec/bonk: check level value to not reach invalid values
Also reset bitstream parsing variables on fatal error.
-rw-r--r--libavcodec/bonk.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
index 2b2e202428..4793bf2561 100644
--- a/libavcodec/bonk.c
+++ b/libavcodec/bonk.c
@@ -217,6 +217,9 @@ static int intlist_read(BonkContext *s, int *buf, int entries, int base_2_part)
level += 1 << low_bits;
}
+ if (level > 1 << 15)
+ return AVERROR_INVALIDDATA;
+
if (x >= max_x)
return AVERROR_INVALIDDATA;
@@ -330,7 +333,7 @@ static int bonk_decode(AVCodecContext *avctx, AVFrame *frame,
skip_bits(gb, s->skip);
if ((ret = intlist_read(s, s->k, s->n_taps, 0)) < 0)
- return ret;
+ goto fail;
for (int i = 0; i < s->n_taps; i++)
s->k[i] *= s->quant[i];
@@ -345,7 +348,7 @@ static int bonk_decode(AVCodecContext *avctx, AVFrame *frame,
predictor_init_state(s->k, state, s->n_taps);
if ((ret = intlist_read(s, s->input_samples, samples_per_packet, 1)) < 0)
- return ret;
+ goto fail;
for (int i = 0; i < samples_per_packet; i++) {
for (int j = 0; j < s->down_sampling - 1; j++) {
@@ -390,6 +393,7 @@ static int bonk_decode(AVCodecContext *avctx, AVFrame *frame,
n = get_bits_count(gb) / 8;
if (n > buf_size) {
+fail:
s->bitstream_size = 0;
s->bitstream_index = 0;
return AVERROR_INVALIDDATA;