diff options
| author | Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> | 2015-04-21 19:28:30 +0200 |
|---|---|---|
| committer | Anton Khirnov <anton@khirnov.net> | 2015-05-05 16:06:58 +0200 |
| commit | 94bb1ce882a12b6d7a1fa32715a68121b39ee838 (patch) | |
| tree | bd1902a7c2b380613bbc3c1afd1ddf85a6b4afa4 /libavcodec/alsdec.c | |
| parent | 110f7f35fb615b97d983b1c6c6a714fddd28bcbe (diff) | |
| download | ffmpeg-94bb1ce882a12b6d7a1fa32715a68121b39ee838.tar.gz | |
alsdec: check sample pointer range in revert_channel_correlation
Also change the type of begin, end and smp to ptrdiff_t to make the
comparison well-defined.
CC: libav-stable@libav.org
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Diffstat (limited to 'libavcodec/alsdec.c')
| -rw-r--r-- | libavcodec/alsdec.c | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 093d08372e..a5452c377d 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1223,6 +1223,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, ALSChannelData *ch = cd[c]; unsigned int dep = 0; unsigned int channels = ctx->avctx->channels; + unsigned int channel_size = ctx->sconf.frame_length + ctx->sconf.max_order; if (reverted[c]) return 0; @@ -1254,9 +1255,9 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, dep = 0; while (!ch[dep].stop_flag) { - unsigned int smp; - unsigned int begin = 1; - unsigned int end = bd->block_length - 1; + ptrdiff_t smp; + ptrdiff_t begin = 1; + ptrdiff_t end = bd->block_length - 1; int64_t y; int32_t *master = ctx->raw_samples[ch[dep].master_channel] + offset; @@ -1270,6 +1271,15 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, end -= t; } + if (FFMIN(begin - 1, begin - 1 + t) < ctx->raw_buffer - master || + FFMAX(end + 1, end + 1 + t) > ctx->raw_buffer + channels * channel_size - master) { + av_log(ctx->avctx, AV_LOG_ERROR, + "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n", + master + FFMIN(begin - 1, begin - 1 + t), master + FFMAX(end + 1, end + 1 + t), + ctx->raw_buffer, ctx->raw_buffer + channels * channel_size); + return AVERROR_INVALIDDATA; + } + for (smp = begin; smp < end; smp++) { y = (1 << 6) + MUL64(ch[dep].weighting[0], master[smp - 1 ]) + @@ -1282,6 +1292,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, bd->raw_samples[smp] += y >> 7; } } else { + + if (begin - 1 < ctx->raw_buffer - master || + end + 1 > ctx->raw_buffer + channels * channel_size - master) { + av_log(ctx->avctx, AV_LOG_ERROR, + "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n", + master + begin - 1, master + end + 1, + ctx->raw_buffer, ctx->raw_buffer + channels * channel_size); + return AVERROR_INVALIDDATA; + } + for (smp = begin; smp < end; smp++) { y = (1 << 6) + MUL64(ch[dep].weighting[0], master[smp - 1]) + |