[FFmpeg-devel] [PATCH] wmavoice: limit wmavoice_decode_packet return value to packet size
Michael Niedermayer
michaelni at gmx.at
Sat Jun 27 23:01:31 CEST 2015
On Sat, Jun 27, 2015 at 08:36:15PM +0200, Andreas Cadhalpun wrote:
> Claiming to have decoded more bytes than the packet size is wrong.
>
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
> libavcodec/wmavoice.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
> index ae88d4e..6cd407a 100644
> --- a/libavcodec/wmavoice.c
> +++ b/libavcodec/wmavoice.c
> @@ -1982,7 +1982,7 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data,
> *got_frame_ptr) {
> cnt += s->spillover_nbits;
> s->skip_bits_next = cnt & 7;
> - return cnt >> 3;
> + return FFMIN(cnt >> 3, avpkt->size);
> } else
> skip_bits_long (gb, s->spillover_nbits - cnt +
> get_bits_count(gb)); // resync
> @@ -2001,7 +2001,7 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data,
> } else if (*got_frame_ptr) {
> int cnt = get_bits_count(gb);
> s->skip_bits_next = cnt & 7;
> - return cnt >> 3;
> + return FFMIN(cnt >> 3, avpkt->size);
> } else if ((s->sframe_cache_size = pos) > 0) {
> /* rewind bit reader to start of last (incomplete) superframe... */
> init_get_bits(gb, avpkt->data, size << 3);
am i assuming correct that gb was read beyond its end ?
if so this maybe should be treated as an error instead of cliping
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The educated differ from the uneducated as much as the living from the
dead. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150627/b2635dcf/attachment.asc>
More information about the ffmpeg-devel
mailing list