[FFmpeg-devel] [PATCH] wmavoice: limit wmavoice_decode_packet return value to packet size

Michael Niedermayer michaelni at gmx.at
Sat Jun 27 23:01:31 CEST 2015


On Sat, Jun 27, 2015 at 08:36:15PM +0200, Andreas Cadhalpun wrote:
> Claiming to have decoded more bytes than the packet size is wrong.
> 
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
>  libavcodec/wmavoice.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
> index ae88d4e..6cd407a 100644
> --- a/libavcodec/wmavoice.c
> +++ b/libavcodec/wmavoice.c
> @@ -1982,7 +1982,7 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data,
>                      *got_frame_ptr) {
>                      cnt += s->spillover_nbits;
>                      s->skip_bits_next = cnt & 7;
> -                    return cnt >> 3;
> +                    return FFMIN(cnt >> 3, avpkt->size);
>                  } else
>                      skip_bits_long (gb, s->spillover_nbits - cnt +
>                                      get_bits_count(gb)); // resync
> @@ -2001,7 +2001,7 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data,
>      } else if (*got_frame_ptr) {
>          int cnt = get_bits_count(gb);
>          s->skip_bits_next = cnt & 7;
> -        return cnt >> 3;
> +        return FFMIN(cnt >> 3, avpkt->size);
>      } else if ((s->sframe_cache_size = pos) > 0) {
>          /* rewind bit reader to start of last (incomplete) superframe... */
>          init_get_bits(gb, avpkt->data, size << 3);

am i assuming correct that gb was read beyond its end ?
if so this maybe should be treated as an error instead of cliping

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The educated differ from the uneducated as much as the living from the
dead. -- Aristotle 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150627/b2635dcf/attachment.asc>


More information about the ffmpeg-devel mailing list