aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec/alsdec.c
diff options
context:
space:
mode:
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>2015-04-21 19:25:50 +0200
committerMichael Niedermayer <michaelni@gmx.at>2015-05-06 17:09:41 +0200
commit3a0a2c2586cdd2dc986a52ba2b668ccce805b901 (patch)
tree8b761ee36a641a3a37c9dd20338ecbeaf46ac850 /libavcodec/alsdec.c
parentdeb0f487bdd7f989a68a286d7ac1e33045a6eda0 (diff)
downloadffmpeg-3a0a2c2586cdd2dc986a52ba2b668ccce805b901.tar.gz
alsdec: check sample pointer range in revert_channel_correlation
Also change the type of begin, end and smp to ptrdiff_t to make the comparison well-defined. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Reviewed-by: Thilo Borgmann <thilo.borgmann@mail.de> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit afc7748d1f6abc4b3b1cc957b0fa6941837db3d0) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/alsdec.c')
-rw-r--r--libavcodec/alsdec.c34
1 files changed, 27 insertions, 7 deletions
diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index d557759142..1cd55ea923 100644
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -1242,6 +1242,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
ALSChannelData *ch = cd[c];
unsigned int dep = 0;
unsigned int channels = ctx->avctx->channels;
+ unsigned int channel_size = ctx->sconf.frame_length + ctx->sconf.max_order;
if (reverted[c])
return 0;
@@ -1272,9 +1273,9 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
bd->raw_samples = ctx->raw_samples[c] + offset;
for (dep = 0; !ch[dep].stop_flag; dep++) {
- unsigned int smp;
- unsigned int begin = 1;
- unsigned int end = bd->block_length - 1;
+ ptrdiff_t smp;
+ ptrdiff_t begin = 1;
+ ptrdiff_t end = bd->block_length - 1;
int64_t y;
int32_t *master = ctx->raw_samples[ch[dep].master_channel] + offset;
@@ -1286,19 +1287,28 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
if (ch[dep].time_diff_sign) {
t = -t;
- if (t > 0 && begin < t) {
- av_log(ctx->avctx, AV_LOG_ERROR, "begin %u smaller than time diff index %d.\n", begin, t);
+ if (begin < t) {
+ av_log(ctx->avctx, AV_LOG_ERROR, "begin %td smaller than time diff index %d.\n", begin, t);
return AVERROR_INVALIDDATA;
}
begin -= t;
} else {
- if (t > 0 && end < t) {
- av_log(ctx->avctx, AV_LOG_ERROR, "end %u smaller than time diff index %d.\n", end, t);
+ if (end < t) {
+ av_log(ctx->avctx, AV_LOG_ERROR, "end %td smaller than time diff index %d.\n", end, t);
return AVERROR_INVALIDDATA;
}
end -= t;
}
+ if (FFMIN(begin - 1, begin - 1 + t) < ctx->raw_buffer - master ||
+ FFMAX(end + 1, end + 1 + t) > ctx->raw_buffer + channels * channel_size - master) {
+ av_log(ctx->avctx, AV_LOG_ERROR,
+ "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n",
+ master + FFMIN(begin - 1, begin - 1 + t), master + FFMAX(end + 1, end + 1 + t),
+ ctx->raw_buffer, ctx->raw_buffer + channels * channel_size);
+ return AVERROR_INVALIDDATA;
+ }
+
for (smp = begin; smp < end; smp++) {
y = (1 << 6) +
MUL64(ch[dep].weighting[0], master[smp - 1 ]) +
@@ -1311,6 +1321,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
bd->raw_samples[smp] += y >> 7;
}
} else {
+
+ if (begin - 1 < ctx->raw_buffer - master ||
+ end + 1 > ctx->raw_buffer + channels * channel_size - master) {
+ av_log(ctx->avctx, AV_LOG_ERROR,
+ "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n",
+ master + begin - 1, master + end + 1,
+ ctx->raw_buffer, ctx->raw_buffer + channels * channel_size);
+ return AVERROR_INVALIDDATA;
+ }
+
for (smp = begin; smp < end; smp++) {
y = (1 << 6) +
MUL64(ch[dep].weighting[0], master[smp - 1]) +