alsdec: check sample pointer range in revert_channel_correlation

Also change the type of begin, end and smp to ptrdiff_t to make the
comparison well-defined.

CC: libav-stable@libav.org
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 94bb1ce882a12b6d7a1fa32715a68121b39ee838)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 41a89cba6086de2bd24f9ec7e21200fa162505e9)
Signed-off-by: Anton Khirnov <anton@khirnov.net>

1 files changed, 23 insertions, 3 deletions

diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index 31636df522..6b0eb22cd0 100644
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -1219,6 +1219,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
     ALSChannelData *ch = cd[c];
     unsigned int   dep = 0;
     unsigned int channels = ctx->avctx->channels;
+    unsigned int channel_size = ctx->sconf.frame_length + ctx->sconf.max_order;
 
     if (reverted[c])
         return 0;
@@ -1250,9 +1251,9 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
 
     dep = 0;
     while (!ch[dep].stop_flag) {
-        unsigned int smp;
-        unsigned int begin = 1;
-        unsigned int end   = bd->block_length - 1;
+        ptrdiff_t smp;
+        ptrdiff_t begin = 1;
+        ptrdiff_t end   = bd->block_length - 1;
         int64_t y;
         int32_t *master = ctx->raw_samples[ch[dep].master_channel] + offset;
 
@@ -1266,6 +1267,15 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
                 end   -= t;
             }
 
+            if (FFMIN(begin - 1, begin - 1 + t) < ctx->raw_buffer - master ||
+                FFMAX(end   + 1,   end + 1 + t) > ctx->raw_buffer + channels * channel_size - master) {
+                av_log(ctx->avctx, AV_LOG_ERROR,
+                       "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n",
+                       master + FFMIN(begin - 1, begin - 1 + t), master + FFMAX(end + 1,   end + 1 + t),
+                       ctx->raw_buffer, ctx->raw_buffer + channels * channel_size);
+                return AVERROR_INVALIDDATA;
+            }
+
             for (smp = begin; smp < end; smp++) {
                 y  = (1 << 6) +
                      MUL64(ch[dep].weighting[0], master[smp - 1    ]) +
@@ -1278,6 +1288,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
                 bd->raw_samples[smp] += y >> 7;
             }
         } else {
+
+            if (begin - 1 < ctx->raw_buffer - master ||
+                end   + 1 > ctx->raw_buffer + channels * channel_size - master) {
+                av_log(ctx->avctx, AV_LOG_ERROR,
+                       "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n",
+                       master + begin - 1, master + end + 1,
+                       ctx->raw_buffer, ctx->raw_buffer + channels * channel_size);
+                return AVERROR_INVALIDDATA;
+            }
+
             for (smp = begin; smp < end; smp++) {
                 y  = (1 << 6) +
                      MUL64(ch[dep].weighting[0], master[smp - 1]) +