The pointer address could overflow, which would likely segfault. Instead set
the context error flag to indicate that the decoder tried to read past the
end of the packet data.
---
libavcodec/apedec.c | 9 ++++++---
1 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index 67304bc..63b2e32 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -247,9 +247,12 @@ static inline void range_dec_normalize(APEContext *ctx)
{
while (ctx->rc.range <= BOTTOM_VALUE) {
ctx->rc.buffer <<= 8;
- if(ctx->ptr < ctx->data_end)
+ if(ctx->ptr < ctx->data_end) {
ctx->rc.buffer += *ctx->ptr;
- ctx->ptr++;
+ ctx->ptr++;
+ } else {
+ ctx->error = 1;
+ }
ctx->rc.low = (ctx->rc.low << 8) | ((ctx->rc.buffer >> 1) &
0xFF);
ctx->rc.range <<= 8;
}
@@ -893,7 +896,7 @@ static int ape_decode_frame(AVCodecContext *avctx,
ape_unpack_stereo(s, blockstodecode);
emms_c();
- if(s->error || s->ptr > s->data_end){
+ if (s->error) {
s->samples=0;
av_log(avctx, AV_LOG_ERROR, "Error decoding frame\n");
return AVERROR_INVALIDDATA;
--
1.7.1
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
