On Wed, Oct 26, 2011 at 04:18:32PM -0400, Justin Ruggles wrote:
> The pointer address could overflow, which would likely segfault. Instead set
> the context error flag to indicate that the decoder tried to read past the
> end of the packet data.
> ---
> libavcodec/apedec.c | 9 ++++++---
> 1 files changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
> index 67304bc..63b2e32 100644
> --- a/libavcodec/apedec.c
> +++ b/libavcodec/apedec.c
> @@ -247,9 +247,12 @@ static inline void range_dec_normalize(APEContext *ctx)
> {
> while (ctx->rc.range <= BOTTOM_VALUE) {
> ctx->rc.buffer <<= 8;
> - if(ctx->ptr < ctx->data_end)
> + if(ctx->ptr < ctx->data_end) {
> ctx->rc.buffer += *ctx->ptr;
> - ctx->ptr++;
> + ctx->ptr++;
> + } else {
> + ctx->error = 1;
> + }
> ctx->rc.low = (ctx->rc.low << 8) | ((ctx->rc.buffer >> 1) &
> 0xFF);
> ctx->rc.range <<= 8;
> }
> @@ -893,7 +896,7 @@ static int ape_decode_frame(AVCodecContext *avctx,
> ape_unpack_stereo(s, blockstodecode);
> emms_c();
>
> - if(s->error || s->ptr > s->data_end){
> + if (s->error) {
> s->samples=0;
> av_log(avctx, AV_LOG_ERROR, "Error decoding frame\n");
> return AVERROR_INVALIDDATA;
> --
looks OK
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
