Module: libav Branch: master Commit: 882abda5a26ffb8e3d1c5852dfa7cdad0a291d2d
Author: Vitor Sessak <[email protected]> Committer: Ronald S. Bultje <[email protected]> Date: Wed Feb 29 22:09:10 2012 +0100 amrnbdec: check frame size before decoding. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: [email protected] Signed-off-by: Ronald S. Bultje <[email protected]> --- libavcodec/amrnbdec.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/libavcodec/amrnbdec.c b/libavcodec/amrnbdec.c index fff0e72..a7d0b4e 100644 --- a/libavcodec/amrnbdec.c +++ b/libavcodec/amrnbdec.c @@ -200,6 +200,10 @@ static enum Mode unpack_bitstream(AMRContext *p, const uint8_t *buf, p->bad_frame_indicator = !get_bits1(&gb); // quality bit skip_bits(&gb, 2); // two padding bits + if (mode >= N_MODES || buf_size < frame_sizes_nb[mode] + 1) { + return NO_DATA; + } + if (mode < MODE_DTX) ff_amr_bit_reorder((uint16_t *) &p->frame, sizeof(AMRNBFrame), buf + 1, amr_unpacking_bitmaps_per_mode[mode]); @@ -947,6 +951,10 @@ static int amrnb_decode_frame(AVCodecContext *avctx, void *data, buf_out = (float *)p->avframe.data[0]; p->cur_frame_mode = unpack_bitstream(p, buf, buf_size); + if (p->cur_frame_mode == NO_DATA) { + av_log(avctx, AV_LOG_ERROR, "Corrupt bitstream\n"); + return AVERROR_INVALIDDATA; + } if (p->cur_frame_mode == MODE_DTX) { av_log_missing_feature(avctx, "dtx mode", 1); return -1; _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
