aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJustin Ruggles <justin.ruggles@gmail.com>2011-11-19 17:51:36 -0500
committerJustin Ruggles <justin.ruggles@gmail.com>2011-11-26 16:25:06 -0500
commite2d1eace00a80c4b53998397d38ea4e08c5d47f0 (patch)
treeaad65fc23e9ceda55cc30787c47e10b34b76b4a3
parent8db67610c016d1aa8ed09643b1ee9b96f7b18c01 (diff)
downloadffmpeg-e2d1eace00a80c4b53998397d38ea4e08c5d47f0.tar.gz
adx: validate header values
-rw-r--r--libavcodec/adxdec.c17
1 files changed, 12 insertions, 5 deletions
diff --git a/libavcodec/adxdec.c b/libavcodec/adxdec.c
index 7d06d27a75..887c6d1404 100644
--- a/libavcodec/adxdec.c
+++ b/libavcodec/adxdec.c
@@ -93,7 +93,7 @@ static void adx_decode_stereo(int16_t *out,const uint8_t *in,
* @param avctx codec context
* @param buf packet data
* @param bufsize packet size
- * @return data offset or 0 if header is invalid
+ * @return data offset or negative error code if header is invalid
*/
static int adx_decode_header(AVCodecContext *avctx, const uint8_t *buf,
int bufsize)
@@ -101,13 +101,18 @@ static int adx_decode_header(AVCodecContext *avctx, const uint8_t *buf,
int offset;
if (buf[0] != 0x80)
- return 0;
+ return AVERROR_INVALIDDATA;
offset = (AV_RB32(buf) ^ 0x80000000) + 4;
if (bufsize < offset || memcmp(buf + offset - 6, "(c)CRI", 6))
- return 0;
+ return AVERROR_INVALIDDATA;
avctx->channels = buf[7];
+ if (avctx->channels > 2)
+ return AVERROR_INVALIDDATA;
avctx->sample_rate = AV_RB32(buf + 8);
+ if (avctx->sample_rate < 1 ||
+ avctx->sample_rate > INT_MAX / (avctx->channels * 18 * 8))
+ return AVERROR_INVALIDDATA;
avctx->bit_rate = avctx->sample_rate * avctx->channels * 18 * 8 / 32;
return offset;
@@ -125,8 +130,10 @@ static int adx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
if (!c->header_parsed) {
int hdrsize = adx_decode_header(avctx, buf, rest);
- if (!hdrsize)
- return -1;
+ if (hdrsize < 0) {
+ av_log(avctx, AV_LOG_ERROR, "invalid stream header\n");
+ return hdrsize;
+ }
c->header_parsed = 1;
buf += hdrsize;
rest -= hdrsize;