[FFmpeg-cvslog] wmavoice: limit wmavoice_decode_packet return value to packet size
Andreas Cadhalpun
git at videolan.org
Sat Jul 18 20:46:01 CEST 2015
ffmpeg | branch: release/2.7 | Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com> | Sun Jun 28 12:40:12 2015 +0200| [254fabe758a476587cefe96c49dbd8c8c3d575ac] | committer: Michael Niedermayer
wmavoice: limit wmavoice_decode_packet return value to packet size
Claiming to have decoded more bytes than the packet size is wrong.
Reviewed-by: Michael Niedermayer <michaelni at gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
(cherry picked from commit 2a4700a4f03280fa8ba4fc0f8a9987bb550f0d1e)
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=254fabe758a476587cefe96c49dbd8c8c3d575ac
---
libavcodec/wmavoice.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
index ae88d4e..fff1aa8 100644
--- a/libavcodec/wmavoice.c
+++ b/libavcodec/wmavoice.c
@@ -1982,7 +1982,14 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data,
*got_frame_ptr) {
cnt += s->spillover_nbits;
s->skip_bits_next = cnt & 7;
- return cnt >> 3;
+ res = cnt >> 3;
+ if (res > avpkt->size) {
+ av_log(ctx, AV_LOG_ERROR,
+ "Trying to skip %d bytes in packet of size %d\n",
+ res, avpkt->size);
+ return AVERROR_INVALIDDATA;
+ }
+ return res;
} else
skip_bits_long (gb, s->spillover_nbits - cnt +
get_bits_count(gb)); // resync
@@ -2001,7 +2008,14 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data,
} else if (*got_frame_ptr) {
int cnt = get_bits_count(gb);
s->skip_bits_next = cnt & 7;
- return cnt >> 3;
+ res = cnt >> 3;
+ if (res > avpkt->size) {
+ av_log(ctx, AV_LOG_ERROR,
+ "Trying to skip %d bytes in packet of size %d\n",
+ res, avpkt->size);
+ return AVERROR_INVALIDDATA;
+ }
+ return res;
} else if ((s->sframe_cache_size = pos) > 0) {
/* rewind bit reader to start of last (incomplete) superframe... */
init_get_bits(gb, avpkt->data, size << 3);
More information about the ffmpeg-cvslog
mailing list