diff options
| author | Paul B Mahol <onemda@gmail.com> | 2023-12-05 14:46:26 +0100 |
|---|---|---|
| committer | Paul B Mahol <onemda@gmail.com> | 2023-12-05 14:50:21 +0100 |
| commit | 7e453dad3c776768ec71ac4a65c2859bb660c498 (patch) | |
| tree | 5a90b19c303d406617333003b8a8a945b1b1fdee | |
| parent | 6e26a5a64e123535026e2266ae039baed72f35d6 (diff) | |
avcodec/qoadec: fix overreads and fix packet size check
| -rw-r--r-- | libavcodec/qoadec.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/libavcodec/qoadec.c b/libavcodec/qoadec.c index 443f42a527..75099d1199 100644 --- a/libavcodec/qoadec.c +++ b/libavcodec/qoadec.c @@ -110,8 +110,8 @@ static int qoa_decode_frame(AVCodecContext *avctx, AVFrame *frame, if (frame_size > avpkt->size) return AVERROR_INVALIDDATA; - if (frame_size < 8 + QOA_LMS_LEN * 4 * nb_channels + - 8LL * frame->nb_samples * nb_channels / QOA_SLICE_LEN) + if (avpkt->size < 8 + QOA_LMS_LEN * 4 * nb_channels + + 8LL * ((frame->nb_samples + QOA_SLICE_LEN - 1) / QOA_SLICE_LEN) * nb_channels) return AVERROR_INVALIDDATA; if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) @@ -127,7 +127,7 @@ static int qoa_decode_frame(AVCodecContext *avctx, AVFrame *frame, qch->weights[n] = sign_extend(bytestream2_get_be16u(&gb), 16); } - for (int sample_index = 0; sample_index < frame->nb_samples * nb_channels; + for (int sample_index = 0; sample_index < frame->nb_samples; sample_index += QOA_SLICE_LEN) { for (int ch = 0; ch < nb_channels; ch++) { QOAChannel *lms = &s->ch[ch]; |