diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-05-03 21:02:32 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2012-05-03 21:02:32 +0200 |
| commit | 27744fe439c59182e608c381928817d64bb21d96 (patch) | |
| tree | 62b70361f060197a5f8fc961cea0877c0df443d5 /libavcodec/tta.c | |
| parent | af58a77f0a9760c97c736bb54ae2884dcf73cf4f (diff) | |
| parent | 1d4a01474d54a4d3bb59dc94d285334f7bcbd889 (diff) | |
| download | ffmpeg-27744fe439c59182e608c381928817d64bb21d96.tar.gz | |
Merge remote-tracking branch 'qatar/master'
* qatar/master:
mpeg12: fixed parsing in some mpeg2 streams
Add SMPTE240M transfer characteristics flag.
mpegts: Some additional HDMV types and reg descriptors for mpegts
motionpixels: Clip YUV values after applying a gradient.
jpeg: handle progressive in second field of interlaced.
ituh263dec: Implement enough of Annex O (scalability) to fix a FPE.
h263: more strictly forbid frame size changes with frame-mt.
h264: additional protection against unsupported size/bitdepth changes.
tta: prevents overflows for 32bit integers in header.
configure: remove malloc_aligned.
vp8: update frame size changes on thread context switches.
snowdsp: explicitily state instruction size.
wmall: fix reconstructing audio with uncoded channels
WMAL cosmetics: fix indentation
gitignore: add Win32 library suffixes
Conflicts:
configure
libavcodec/h263dec.c
libavcodec/h264.c
libavcodec/ituh263dec.c
libavcodec/mjpegdec.c
libavcodec/wmalosslessdec.c
libavcodec/x86/snowdsp_mmx.c
libavformat/mpegts.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/tta.c')
| -rw-r--r-- | libavcodec/tta.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 83d45abedf..03fa12d5dc 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -61,7 +61,8 @@ typedef struct TTAContext { GetBitContext gb; const AVCRC *crc_table; - int format, channels, bps, data_length; + int format, channels, bps; + unsigned data_length; int frame_length, last_frame_length, total_frames; int32_t *decode_buffer; @@ -235,7 +236,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) } // prevent overflow - if (avctx->sample_rate > 0x7FFFFF) { + if (avctx->sample_rate > 0x7FFFFFu) { av_log(avctx, AV_LOG_ERROR, "sample_rate too large\n"); return AVERROR(EINVAL); } @@ -255,7 +256,8 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) return AVERROR_INVALIDDATA; // FIXME: seek table - if (get_bits_left(&s->gb) < 32 * s->total_frames + 32) + if (avctx->extradata_size <= 26 || s->total_frames > INT_MAX / 4 || + avctx->extradata_size - 26 < s->total_frames * 4) av_log(avctx, AV_LOG_WARNING, "Seek table missing or too small\n"); else if (avctx->err_recognition & AV_EF_CRCCHECK) { if (avctx->extradata_size < 26 + s->total_frames * 4 || tta_check_crc(s, avctx->extradata + 22, s->total_frames * 4)) |