[FFmpeg-devel] [libav-devel] [PATCH] wmavoice: limit wmavoice_decode_packet return value to packet size

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Sun Jun 28 13:39:41 CEST 2015

On 28.06.2015 13:13, Ronald S. Bultje wrote:
> On Sun, Jun 28, 2015 at 5:28 AM, Andreas Cadhalpun
>> Treating one like an error, but not the other seems strange as well.
>> One could add an explode mode for both. Would that be better?
> In the first case, it's an error. If the frame size is 2 bits, the header
> is 1, and it specifies a spillover bits of 2, then the frame is clearly
> corrupt. Returning an error is fine. The ffmin() isn't necessary. I also
> don't think an explode mode check is necessary here, it's a clear error
> that is unrecoverable for this frame.

I've no strong preference. Attached is a variant just returning an error.

> In the second case, does that actually happen?


> Wmavoice is one of the
> limited number of decoders that internally checks for overreads.
> get_bits_count() should never overread.

It doesn't check everywhere:
    /* Statistics? FIXME - we don't check for length, a slight overrun
     * will be caught by internal buffer padding, and anything else
     * will be skipped, not read. */
    if (get_bits1(gb)) {
        res = get_bits(gb, 4);
        skip_bits(gb, 10 * (res + 1));

> Do you have samples for which this happens?


> We currently basically return an error on any possible overread
> signified in the bitstream (without actually overreading), so doing so here
> also would make sense (if it really happens at all).


> (We could also remove all the overread checks in the decoder, make it use
> the safe bitstream reader mode, and then check for overreads at the end of
> synth_superframe or in the caller, and then return an error. I have no
> specific preference, and this may lead to less code overall.)

That should work as well, but would be a larger change.

Best regards,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-wmavoice-limit-wmavoice_decode_packet-return-value-t.patch
Type: text/x-diff
Size: 2070 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150628/51a814d2/attachment.bin>

More information about the ffmpeg-devel mailing list