diff options
author | Laurent Aimar <fenrir@videolan.org> | 2010-03-03 19:31:46 +0000 |
---|---|---|
committer | Laurent Aimar <fenrir@videolan.org> | 2010-03-03 19:31:46 +0000 |
commit | a9837b58e1b060ed31753821536de128a0deaf26 (patch) | |
tree | ab1ed727b7e10cb03c913f079e5c9524b151d938 /libavcodec | |
parent | 19c8c4ecf4e26762327a472dcf34132ceb196e30 (diff) | |
download | ffmpeg-a9837b58e1b060ed31753821536de128a0deaf26.tar.gz |
Fixed overreads in TTA decoder with corrupted bistreams.
Originally committed as revision 22176 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/tta.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/libavcodec/tta.c b/libavcodec/tta.c index b26724b528..7dd4cc5059 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -332,9 +332,14 @@ static int tta_decode_frame(AVCodecContext *avctx, unary--; } - if (k) + if (get_bits_left(&s->gb) < k) + return -1; + + if (k) { + if (k > MIN_CACHE_BITS) + return -1; value = (unary << k) + get_bits(&s->gb, k); - else + } else value = unary; // FIXME: copy paste from original @@ -404,6 +409,8 @@ static int tta_decode_frame(AVCodecContext *avctx, } } + if (get_bits_left(&s->gb) < 32) + return -1; skip_bits(&s->gb, 32); // frame crc // convert to output buffer |