[FFmpeg-cvslog] adpcm: check buffer size in IMA DK4 decoder before reading header.
Justin Ruggles
git at videolan.org
Sat Oct 1 03:06:40 CEST 2011
ffmpeg | branch: master | Justin Ruggles <justin.ruggles at gmail.com> | Sat Sep 10 13:54:02 2011 -0400| [5c9eb4fabbefd4ebb02620a0a3a6e10032ec069d] | committer: Justin Ruggles
adpcm: check buffer size in IMA DK4 decoder before reading header.
Also use the post-header data size to control termination of the main
decoding loop.
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5c9eb4fabbefd4ebb02620a0a3a6e10032ec069d
---
libavcodec/adpcm.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index be10f88..80dc7ca 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -528,6 +528,12 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
if (avctx->block_align != 0 && buf_size > avctx->block_align)
buf_size = avctx->block_align;
+ n = buf_size - 4 * avctx->channels;
+ if (n < 0) {
+ av_log(avctx, AV_LOG_ERROR, "packet is too small\n");
+ return AVERROR(EINVAL);
+ }
+
for (channel = 0; channel < avctx->channels; channel++) {
cs = &c->status[channel];
cs->predictor = (int16_t)bytestream_get_le16(&src);
@@ -535,7 +541,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
src++;
*samples++ = cs->predictor;
}
- while (src < buf + buf_size) {
+ while (n-- > 0) {
uint8_t v = *src++;
*samples++ = adpcm_ima_expand_nibble(&c->status[0 ], v >> 4 , 3);
*samples++ = adpcm_ima_expand_nibble(&c->status[st], v & 0x0F, 3);
More information about the ffmpeg-cvslog
mailing list