aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec/apedec.c
diff options
context:
space:
mode:
authorJustin Ruggles <justin.ruggles@gmail.com>2011-10-11 14:12:54 -0400
committerJustin Ruggles <justin.ruggles@gmail.com>2011-10-28 11:47:28 -0400
commit5b8009f4c80d8fd96523c8c163441ad4011ad472 (patch)
treeaf39a3486932cd7e6decfdca8456a296d0c63c4f /libavcodec/apedec.c
parenta4c32c9a63142b602820800742f2d543b58cd278 (diff)
downloadffmpeg-5b8009f4c80d8fd96523c8c163441ad4011ad472.tar.gz
apedec: do not keep incrementing the input data pointer past the end of the
buffer during entropy decoding. The pointer address could overflow, which would likely segfault. Instead set the context error flag to indicate that the decoder tried to read past the end of the packet data.
Diffstat (limited to 'libavcodec/apedec.c')
-rw-r--r--libavcodec/apedec.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index ef990bf693..133eb2da58 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -247,9 +247,12 @@ static inline void range_dec_normalize(APEContext *ctx)
{
while (ctx->rc.range <= BOTTOM_VALUE) {
ctx->rc.buffer <<= 8;
- if(ctx->ptr < ctx->data_end)
+ if(ctx->ptr < ctx->data_end) {
ctx->rc.buffer += *ctx->ptr;
- ctx->ptr++;
+ ctx->ptr++;
+ } else {
+ ctx->error = 1;
+ }
ctx->rc.low = (ctx->rc.low << 8) | ((ctx->rc.buffer >> 1) & 0xFF);
ctx->rc.range <<= 8;
}
@@ -893,7 +896,7 @@ static int ape_decode_frame(AVCodecContext *avctx,
ape_unpack_stereo(s, blockstodecode);
emms_c();
- if(s->error || s->ptr > s->data_end){
+ if (s->error) {
s->samples=0;
av_log(avctx, AV_LOG_ERROR, "Error decoding frame\n");
return AVERROR_INVALIDDATA;