[MPlayer-cvslog] r37652 - trunk/libmpcodecs/ad_hwac3.c
reimar
subversion at mplayerhq.hu
Tue Feb 9 23:51:57 CET 2016
Author: reimar
Date: Tue Feb 9 23:51:57 2016
New Revision: 37652
Log:
ad_hwac3: Check buffer sizes.
Should fix some Coverity issues.
Modified:
trunk/libmpcodecs/ad_hwac3.c
Modified: trunk/libmpcodecs/ad_hwac3.c
==============================================================================
--- trunk/libmpcodecs/ad_hwac3.c Tue Feb 9 23:29:09 2016 (r37651)
+++ trunk/libmpcodecs/ad_hwac3.c Tue Feb 9 23:51:57 2016 (r37652)
@@ -49,7 +49,7 @@ LIBAD_EXTERN(hwac3)
static int dts_syncinfo(uint8_t *indata_ptr, int *flags, int *sample_rate, int *bit_rate);
-static int decode_audio_dts(unsigned char *indata_ptr, int len, unsigned char *buf);
+static int decode_audio_dts(unsigned char *indata_ptr, int len, unsigned char *buf, int outsize);
static int a52_syncinfo (uint8_t *buf, int *sample_rate, int *bit_rate)
@@ -210,10 +210,12 @@ static int decode_audio(sh_audio_t *sh_a
if(isdts == 1)
{
- return decode_audio_dts(sh_audio->a_in_buffer, len, buf);
+ return decode_audio_dts(sh_audio->a_in_buffer, len, buf, maxlen);
}
else if(isdts == 0)
{
+ if (maxlen < 6144) return -1;
+ if (len > 6144 - 8) return -1;
AV_WB16(buf, 0xF872); // iec 61937 syncword 1
AV_WB16(buf + 2, 0x4E1F); // iec 61937 syncword 2
buf[4] = sh_audio->a_in_buffer[5] & 0x7; // bsmod
@@ -486,7 +488,7 @@ static int convert_14bits_to_16bits(cons
return (unsigned char *)p - dest;
}
-static int decode_audio_dts(unsigned char *indata_ptr, int len, unsigned char *buf)
+static int decode_audio_dts(unsigned char *indata_ptr, int len, unsigned char *buf, int outsize)
{
int nblks;
int fsize;
@@ -497,7 +499,7 @@ static int decode_audio_dts(unsigned cha
uint16_t *buf16 = (uint16_t *)buf;
fsize = dts_decode_header(indata_ptr, &rate, &nblks, &sfreq);
- if(fsize < 0)
+ if(fsize < 0 || fsize > len || outsize < fsize + 8 || outsize < nblks * 32 * 2 * 2)
return -1;
nr_samples = nblks * 32;
More information about the MPlayer-cvslog
mailing list