adpcm: simplify packet size bounds checking in the ADPCM IMA QT decoder.

This is easier to understand. It also avoids returning existing samples mixed
with new samples when the packet is too small.

1 files changed, 7 insertions, 2 deletions

diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index c6b0aaa399..ae3f99ba0d 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -379,7 +379,12 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
 
     switch(avctx->codec->id) {
     case CODEC_ID_ADPCM_IMA_QT:
-        n = buf_size - 2*avctx->channels;
+        /* In QuickTime, IMA is encoded by chunks of 34 bytes (=64 samples).
+           Channel data is interleaved per-chunk. */
+        if (buf_size / 34 < avctx->channels) {
+            av_log(avctx, AV_LOG_ERROR, "packet is too small\n");
+            return AVERROR(EINVAL);
+        }
         for (channel = 0; channel < avctx->channels; channel++) {
             int16_t predictor;
             int step_index;
@@ -412,7 +417,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
 
             samples = (short*)data + channel;
 
-            for(m=32; n>0 && m>0; n--, m--) { /* in QuickTime, IMA is encoded by chuncks of 34 bytes (=64 samples) */
+            for (m = 0; m < 32; m++) {
                 *samples = adpcm_ima_qt_expand_nibble(cs, src[0] & 0x0F, 3);
                 samples += avctx->channels;
                 *samples = adpcm_ima_qt_expand_nibble(cs, src[0] >> 4  , 3);