Module: libav Branch: release/0.7 Commit: 282a1a960a75d853928b6b2b2c90951b58cb56dc
Author: Reimar Döffinger <[email protected]> Committer: Reinhard Tartler <[email protected]> Date: Wed Sep 7 22:14:07 2011 -0400 Fix input buffer size check in adpcm_ea decoder. Unfortunately the output buffer size check assumes that the input buffer is never over-consumed, thus this actually also allowed to write outside the output buffer if "lucky". Based on: git.videolan.org/ffmpeg.git commit 701d0eb185192542c4a17f296e39e37cedf7abc6 (cherry picked from commit ffe92ff9f0c7f390d895de12c8ffef959ced3cd8) Signed-off-by: Anton Khirnov <[email protected]> --- libavcodec/adpcm.c | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 70a5360..277334a 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1291,11 +1291,17 @@ static int adpcm_decode_frame(AVCodecContext *avctx, } break; case CODEC_ID_ADPCM_EA: - if (buf_size < 4 || AV_RL32(src) >= ((buf_size - 12) * 2)) { - src += buf_size; - break; + /* Each EA ADPCM frame has a 12-byte header followed by 30-byte pieces, + each coding 28 stereo samples. */ + if (buf_size < 12) { + av_log(avctx, AV_LOG_ERROR, "frame too small\n"); + return AVERROR(EINVAL); } samples_in_chunk = AV_RL32(src); + if (samples_in_chunk / 28 > (buf_size - 12) / 30) { + av_log(avctx, AV_LOG_ERROR, "invalid frame\n"); + return AVERROR(EINVAL); + } src += 4; current_left_sample = (int16_t)bytestream_get_le16(&src); previous_left_sample = (int16_t)bytestream_get_le16(&src); _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
