[FFmpeg-cvslog] avcodec/qoadec: fix overreads and fix packet size check

[Paul B Mahol]

ffmpeg | branch: master | Paul B Mahol <onemda at gmail.com> | Tue Dec  5 14:46:26 2023 +0100| [7e453dad3c776768ec71ac4a65c2859bb660c498] | committer: Paul B Mahol

avcodec/qoadec: fix overreads and fix packet size check

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7e453dad3c776768ec71ac4a65c2859bb660c498
---

 libavcodec/qoadec.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/qoadec.c b/libavcodec/qoadec.c
index 443f42a527..75099d1199 100644
--- a/libavcodec/qoadec.c
+++ b/libavcodec/qoadec.c
@@ -110,8 +110,8 @@ static int qoa_decode_frame(AVCodecContext *avctx, AVFrame *frame,
     if (frame_size > avpkt->size)
         return AVERROR_INVALIDDATA;
 
-    if (frame_size < 8 + QOA_LMS_LEN * 4 * nb_channels +
-        8LL * frame->nb_samples * nb_channels / QOA_SLICE_LEN)
+    if (avpkt->size < 8 + QOA_LMS_LEN * 4 * nb_channels +
+        8LL * ((frame->nb_samples + QOA_SLICE_LEN - 1) / QOA_SLICE_LEN) * nb_channels)
         return AVERROR_INVALIDDATA;
 
     if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
@@ -127,7 +127,7 @@ static int qoa_decode_frame(AVCodecContext *avctx, AVFrame *frame,
             qch->weights[n] = sign_extend(bytestream2_get_be16u(&gb), 16);
     }
 
-    for (int sample_index = 0; sample_index < frame->nb_samples * nb_channels;
+    for (int sample_index = 0; sample_index < frame->nb_samples;
          sample_index += QOA_SLICE_LEN) {
         for (int ch = 0; ch < nb_channels; ch++) {
             QOAChannel *lms = &s->ch[ch];