Module: libav Branch: master Commit: ac94b8bcc6cdba000ada0c84b4c287f7f37f2384
Author: Justin Ruggles <[email protected]> Committer: Justin Ruggles <[email protected]> Date: Thu Sep 8 18:57:56 2011 -0400 adpcm: simplify packet size bounds checking in the ADPCM IMA QT decoder. This is easier to understand. It also avoids returning existing samples mixed with new samples when the packet is too small. --- libavcodec/adpcm.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index c6b0aaa..ae3f99b 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -379,7 +379,12 @@ static int adpcm_decode_frame(AVCodecContext *avctx, switch(avctx->codec->id) { case CODEC_ID_ADPCM_IMA_QT: - n = buf_size - 2*avctx->channels; + /* In QuickTime, IMA is encoded by chunks of 34 bytes (=64 samples). + Channel data is interleaved per-chunk. */ + if (buf_size / 34 < avctx->channels) { + av_log(avctx, AV_LOG_ERROR, "packet is too small\n"); + return AVERROR(EINVAL); + } for (channel = 0; channel < avctx->channels; channel++) { int16_t predictor; int step_index; @@ -412,7 +417,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, samples = (short*)data + channel; - for(m=32; n>0 && m>0; n--, m--) { /* in QuickTime, IMA is encoded by chuncks of 34 bytes (=64 samples) */ + for (m = 0; m < 32; m++) { *samples = adpcm_ima_qt_expand_nibble(cs, src[0] & 0x0F, 3); samples += avctx->channels; *samples = adpcm_ima_qt_expand_nibble(cs, src[0] >> 4 , 3); _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
