aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec/alsdec.c
diff options
context:
space:
mode:
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>2015-04-18 20:09:28 +0200
committerMichael Niedermayer <michaelni@gmx.at>2015-05-06 17:09:33 +0200
commitdeb0f487bdd7f989a68a286d7ac1e33045a6eda0 (patch)
treeb1d6ccacfae49fa81c2bcfd1174ab15d52dff84f /libavcodec/alsdec.c
parentf0cfa5d98a69931155b44269e56a7a330f33d7a8 (diff)
downloadffmpeg-deb0f487bdd7f989a68a286d7ac1e33045a6eda0.tar.gz
alsdec: validate time diff index
If begin is smaller than t, the subtraction 'begin -= t' wraps around, because begin is unsigned. The same applies for end < t. This causes segmentation faults. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit faf9fe2c224ea81a98afd53e2f0be0a2e13aeca9) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/alsdec.c')
-rw-r--r--libavcodec/alsdec.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index abced6126d..d557759142 100644
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -1286,8 +1286,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
if (ch[dep].time_diff_sign) {
t = -t;
+ if (t > 0 && begin < t) {
+ av_log(ctx->avctx, AV_LOG_ERROR, "begin %u smaller than time diff index %d.\n", begin, t);
+ return AVERROR_INVALIDDATA;
+ }
begin -= t;
} else {
+ if (t > 0 && end < t) {
+ av_log(ctx->avctx, AV_LOG_ERROR, "end %u smaller than time diff index %d.\n", end, t);
+ return AVERROR_INVALIDDATA;
+ }
end -= t;
}