[FFmpeg-cvslog] adpcm: fix out of bound reads due to integer overflow
Laurent Aimar
git at videolan.org
Tue Oct 11 03:52:34 CEST 2011
ffmpeg | branch: master | Laurent Aimar <fenrir at videolan.org> | Fri Sep 30 23:42:32 2011 +0000| [c7f89064e2f0fef8198aadf64b0daf12787404ee] | committer: Janne Grunau
adpcm: fix out of bound reads due to integer overflow
Signed-off-by: Janne Grunau <janne-libav at jannau.net>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c7f89064e2f0fef8198aadf64b0daf12787404ee
---
libavcodec/adpcm.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index fadafaf..98da459 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -630,10 +630,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
buf_size -= 128;
}
break;
- case CODEC_ID_ADPCM_IMA_EA_EACS:
+ case CODEC_ID_ADPCM_IMA_EA_EACS: {
+ unsigned header_size = 4 + (8<<st);
samples_in_chunk = bytestream_get_le32(&src) >> (1-st);
- if (samples_in_chunk > buf_size-4-(8<<st)) {
+ if (buf_size < header_size || samples_in_chunk > buf_size - header_size) {
src += buf_size - 4;
break;
}
@@ -648,6 +649,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
*samples++ = adpcm_ima_expand_nibble(&c->status[st], *src&0x0F, 3);
}
break;
+ }
case CODEC_ID_ADPCM_IMA_EA_SEAD:
for (; src < buf+buf_size; src++) {
*samples++ = adpcm_ima_expand_nibble(&c->status[0], src[0] >> 4, 6);
More information about the ffmpeg-cvslog
mailing list