[Ffmpeg-devel] [PATCH] THP PCM decoder (GSoC Qualification)
Michael Niedermayer
michaelni
Sat Apr 7 13:47:25 CEST 2007
Hi
On Sat, Apr 07, 2007 at 11:39:58AM +0200, Marco Gerards wrote:
> Uoti Urpala <uoti.urpala at pp1.inet.fi> writes:
>
> > On Fri, 2007-04-06 at 18:24 +0200, Marco Gerards wrote:
> >> Changing samplecnt to an unsigned int solved the problem. I am
> >> sorry it took me this much time to notice this problem.
> >
> > I think you still missed another problem (overflow).
>
> You are completely right. This is fixed now.
>
> Here is a new patch. I fixed all issues (both playback and code)
> which were found.
[...]
> break;
> + case CODEC_ID_ADPCM_THP:
> + {
> + GetBitContext gb;
> + int table[16][2];
> + unsigned int samplecnt;
> + int prev1[2], prev2[2];
> + int ch;
> +
> + if (buf_size < 80) {
> + av_log(avctx, AV_LOG_ERROR, "frame too small\n");
> + return -1;
> + }
> +
> + init_get_bits(&gb, src, buf_size * 8);
> + src += buf_size;
> +
> + get_bits_long(&gb, 32); /* Channel size */
> + samplecnt = get_bits_long(&gb, 32);
> +
> + for (ch = 0; ch < 2; ch++)
> + for (i = 0; i < 16; i++)
> + table[i][ch] = get_sbits(&gb, 16);
> +
> + /* Initialize the previous sample. */
> + for (ch = 0; ch < 2; ch++) {
> + prev1[ch] = get_sbits(&gb, 16);
> + prev2[ch] = get_sbits(&gb, 16);
> + }
> +
> + if (samples + samplecnt * (st + 1L) >= samples_end) {
> + av_log(avctx, AV_LOG_ERROR, "allocated output buffer is too small\n");
> + return -1;
> + }
this check is still insufficient
samplecnt= 0xFFFFFFFF, st=0 will amongth many others still pass as long as
pointers are 32bit (yeah 32bit systems are still the majority AFIAK)
and on 64bit its a gamble if random pointer + 0xFFFFFFFF will overflow
probably it wont but thats just luck
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Good people do not need laws to tell them to act responsibly, while bad
people will find a way around the laws. -- Plato
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20070407/099ec7d6/attachment.pgp>
More information about the ffmpeg-devel
mailing list