highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

adpcm: fix out of bound reads due to integer overflow

Browse Source 
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit c7f89064e2)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
This commit is contained in:
Laurent Aimar
2011-09-30 23:42:32 +00:00
committed by Reinhard Tartler
parent 39fed2e95b
commit 518c72474d
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
libavcodec/adpcm.c
View File

@@ -1267,10 +1267,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
buf_size -= 128; buf_size -= 128;
} }
break; break;
case CODEC_ID_ADPCM_IMA_EA_EACS: case CODEC_ID_ADPCM_IMA_EA_EACS: {
unsigned header_size = 4 + (8<<st);
samples_in_chunk = bytestream_get_le32(&src) >> (1-st); samples_in_chunk = bytestream_get_le32(&src) >> (1-st);
if (samples_in_chunk > buf_size-4-(8<<st)) { if (buf_size < header_size || samples_in_chunk > buf_size - header_size) {
src += buf_size - 4; src += buf_size - 4;
break; break;
} }
@@ -1285,6 +1286,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
*samples++ = adpcm_ima_expand_nibble(&c->status[st], *src&0x0F, 3); *samples++ = adpcm_ima_expand_nibble(&c->status[st], *src&0x0F, 3);
} }
break; break;
}
case CODEC_ID_ADPCM_IMA_EA_SEAD: case CODEC_ID_ADPCM_IMA_EA_SEAD:
for (; src < buf+buf_size; src++) { for (; src < buf+buf_size; src++) {
*samples++ = adpcm_ima_expand_nibble(&c->status[0], src[0] >> 4, 6); *samples++ = adpcm_ima_expand_nibble(&c->status[0], src[0] >> 4, 6);