[FFmpeg-cvslog] apedec: do not keep incrementing the input data pointer past the end of the
Justin Ruggles
git at videolan.org
Sat Oct 29 02:31:38 CEST 2011
ffmpeg | branch: master | Justin Ruggles <justin.ruggles at gmail.com> | Tue Oct 11 14:12:54 2011 -0400| [5b8009f4c80d8fd96523c8c163441ad4011ad472] | committer: Justin Ruggles
apedec: do not keep incrementing the input data pointer past the end of the
buffer during entropy decoding.
The pointer address could overflow, which would likely segfault. Instead set
the context error flag to indicate that the decoder tried to read past the
end of the packet data.
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5b8009f4c80d8fd96523c8c163441ad4011ad472
---
libavcodec/apedec.c | 9 ++++++---
1 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index ef990bf..133eb2d 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -247,9 +247,12 @@ static inline void range_dec_normalize(APEContext *ctx)
{
while (ctx->rc.range <= BOTTOM_VALUE) {
ctx->rc.buffer <<= 8;
- if(ctx->ptr < ctx->data_end)
+ if(ctx->ptr < ctx->data_end) {
ctx->rc.buffer += *ctx->ptr;
- ctx->ptr++;
+ ctx->ptr++;
+ } else {
+ ctx->error = 1;
+ }
ctx->rc.low = (ctx->rc.low << 8) | ((ctx->rc.buffer >> 1) & 0xFF);
ctx->rc.range <<= 8;
}
@@ -893,7 +896,7 @@ static int ape_decode_frame(AVCodecContext *avctx,
ape_unpack_stereo(s, blockstodecode);
emms_c();
- if(s->error || s->ptr > s->data_end){
+ if (s->error) {
s->samples=0;
av_log(avctx, AV_LOG_ERROR, "Error decoding frame\n");
return AVERROR_INVALIDDATA;
More information about the ffmpeg-cvslog
mailing list