Hi, On Wed, Feb 29, 2012 at 1:12 PM, Ronald S. Bultje <[email protected]> wrote: > On Wed, Feb 29, 2012 at 1:09 PM, Vitor Sessak <[email protected]> wrote: >> --- >> libavcodec/amrnbdec.c | 8 ++++++++ >> 1 files changed, 8 insertions(+), 0 deletions(-) >> >> diff --git a/libavcodec/amrnbdec.c b/libavcodec/amrnbdec.c >> index fff0e72..cdfcfc7 100644 >> --- a/libavcodec/amrnbdec.c >> +++ b/libavcodec/amrnbdec.c >> @@ -200,6 +200,10 @@ static enum Mode unpack_bitstream(AMRContext *p, const >> uint8_t *buf, >> p->bad_frame_indicator = !get_bits1(&gb); // quality bit >> skip_bits(&gb, 2); // two padding bits >> >> + if (buf_size < frame_sizes_nb[mode] + 1) { >> + return NO_DATA; >> + } > > This will overread a static array if mode (4bit unchecked) is read > from /dev/random. I think it should be "if (mode >= N_MODES || ...)" > here. > >> if (mode < MODE_DTX) >> ff_amr_bit_reorder((uint16_t *) &p->frame, sizeof(AMRNBFrame), buf + >> 1, >> amr_unpacking_bitmaps_per_mode[mode]); >> @@ -947,6 +951,10 @@ static int amrnb_decode_frame(AVCodecContext *avctx, >> void *data, >> buf_out = (float *)p->avframe.data[0]; >> >> p->cur_frame_mode = unpack_bitstream(p, buf, buf_size); >> + if (p->cur_frame_mode == NO_DATA) { >> + av_log(avctx, AV_LOG_ERROR, "Corrupt bitstream\n"); >> + return AVERROR_INVALIDDATA; >> + }
Committed with that fixed. Ronald _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
