[FFmpeg-cvslog] adpcm: fix out of bound reads due to integer overflow

[Laurent Aimar]

ffmpeg | branch: release/0.8 | Laurent Aimar <fenrir at videolan.org> | Fri Sep 30 23:42:32 2011 +0000| [518c72474d3fa3e90c80b2a9c6b8851f4be26544] | committer: Reinhard Tartler

adpcm: fix out of bound reads due to integer overflow

Signed-off-by: Janne Grunau <janne-libav at jannau.net>
(cherry picked from commit c7f89064e2f0fef8198aadf64b0daf12787404ee)

Signed-off-by: Anton Khirnov <anton at khirnov.net>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=518c72474d3fa3e90c80b2a9c6b8851f4be26544
---

 libavcodec/adpcm.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index b2d79a2..069690a 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -1267,10 +1267,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
             buf_size -= 128;
         }
         break;
-    case CODEC_ID_ADPCM_IMA_EA_EACS:
+    case CODEC_ID_ADPCM_IMA_EA_EACS: {
+        unsigned header_size = 4 + (8<<st);
         samples_in_chunk = bytestream_get_le32(&src) >> (1-st);
 
-        if (samples_in_chunk > buf_size-4-(8<<st)) {
+        if (buf_size < header_size || samples_in_chunk > buf_size - header_size) {
             src += buf_size - 4;
             break;
         }
@@ -1285,6 +1286,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
             *samples++ = adpcm_ima_expand_nibble(&c->status[st], *src&0x0F, 3);
         }
         break;
+    }
     case CODEC_ID_ADPCM_IMA_EA_SEAD:
         for (; src < buf+buf_size; src++) {
             *samples++ = adpcm_ima_expand_nibble(&c->status[0], src[0] >> 4, 6);