aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorAlex Converse <alex.converse@gmail.com>2012-01-25 15:46:14 -0800
committerAlex Converse <alex.converse@gmail.com>2012-01-30 16:49:15 -0800
commitf372ce119bd2458fa0b4ddfb2af3a36621df99f7 (patch)
tree4437c317ccb2e742eefeda098414a02448912066 /libavcodec
parenta3a0691bdecf0b2ead2d06ea06c0c278733eef91 (diff)
downloadffmpeg-f372ce119bd2458fa0b4ddfb2af3a36621df99f7.tar.gz
mp3dec: Fix a heap-buffer-overflow
In some cases, what is left to read from ptr is smaller than EXTRABYTES. Based on a patch by Thierry Foucu <tfoucu@gmail.com>. Signed-off-by: Alex Converse <alex.converse@gmail.com>
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/mpegaudiodec.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
index 4ea5146ed6..af125d5587 100644
--- a/libavcodec/mpegaudiodec.c
+++ b/libavcodec/mpegaudiodec.c
@@ -1378,16 +1378,17 @@ static int mp_decode_layer3(MPADecodeContext *s)
if (!s->adu_mode) {
int skip;
const uint8_t *ptr = s->gb.buffer + (get_bits_count(&s->gb)>>3);
+ int extrasize = av_clip(get_bits_left(&s->gb) >> 3, 0, EXTRABYTES);
assert((get_bits_count(&s->gb) & 7) == 0);
/* now we get bits from the main_data_begin offset */
av_dlog(s->avctx, "seekback: %d\n", main_data_begin);
//av_log(NULL, AV_LOG_ERROR, "backstep:%d, lastbuf:%d\n", main_data_begin, s->last_buf_size);
- memcpy(s->last_buf + s->last_buf_size, ptr, EXTRABYTES);
+ memcpy(s->last_buf + s->last_buf_size, ptr, extrasize);
s->in_gb = s->gb;
init_get_bits(&s->gb, s->last_buf, s->last_buf_size*8);
#if !UNCHECKED_BITSTREAM_READER
- s->gb.size_in_bits_plus8 += EXTRABYTES * 8;
+ s->gb.size_in_bits_plus8 += extrasize * 8;
#endif
s->last_buf_size <<= 3;
for (gr = 0; gr < nb_granules && (s->last_buf_size >> 3) < main_data_begin; gr++) {