diff options
| author | Laurent Aimar <fenrir@videolan.org> | 2011-09-30 23:42:32 +0000 |
|---|---|---|
| committer | Janne Grunau <janne-libav@jannau.net> | 2011-10-10 21:36:12 +0200 |
| commit | c7f89064e2f0fef8198aadf64b0daf12787404ee (patch) | |
| tree | 16dda5fa6a814f40d5d7f1987907be8d0030eb63 /libavcodec/adpcm.c | |
| parent | 2475f1a83ccf313d828b25f1769e3a37442ecf64 (diff) | |
adpcm: fix out of bound reads due to integer overflow
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
Diffstat (limited to 'libavcodec/adpcm.c')
| -rw-r--r-- | libavcodec/adpcm.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index fadafafa3f..98da4591b0 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -630,10 +630,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, buf_size -= 128; } break; - case CODEC_ID_ADPCM_IMA_EA_EACS: + case CODEC_ID_ADPCM_IMA_EA_EACS: { + unsigned header_size = 4 + (8<<st); samples_in_chunk = bytestream_get_le32(&src) >> (1-st); - if (samples_in_chunk > buf_size-4-(8<<st)) { + if (buf_size < header_size || samples_in_chunk > buf_size - header_size) { src += buf_size - 4; break; } @@ -648,6 +649,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, *samples++ = adpcm_ima_expand_nibble(&c->status[st], *src&0x0F, 3); } break; + } case CODEC_ID_ADPCM_IMA_EA_SEAD: for (; src < buf+buf_size; src++) { *samples++ = adpcm_ima_expand_nibble(&c->status[0], src[0] >> 4, 6); |