From 6ab681a4c1ffc0d5c36ebf13a10e0ecc61c81429 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Thu, 9 Feb 2012 14:49:59 -0500 Subject: ttadec: fix invalid free when an error occurs while decoding 24-bit tta --- libavcodec/tta.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) (limited to 'libavcodec/tta.c') diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 49d59538d3..853f6a2aae 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -339,12 +339,16 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, unary--; } - if (get_bits_left(&s->gb) < k) - return -1; + if (get_bits_left(&s->gb) < k) { + ret = AVERROR_INVALIDDATA; + goto error; + } if (k) { - if (k > MIN_CACHE_BITS) - return -1; + if (k > MIN_CACHE_BITS) { + ret = AVERROR_INVALIDDATA; + goto error; + } value = (unary << k) + get_bits(&s->gb, k); } else value = unary; @@ -397,8 +401,10 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, } } - if (get_bits_left(&s->gb) < 32) - return -1; + if (get_bits_left(&s->gb) < 32) { + ret = AVERROR_INVALIDDATA; + goto error; + } skip_bits_long(&s->gb, 32); // frame crc // convert to output buffer @@ -419,6 +425,11 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, *(AVFrame *)data = s->frame; return buf_size; +error: + // reset decode buffer + if (s->bps == 3) + s->decode_buffer = NULL; + return ret; } static av_cold int tta_decode_close(AVCodecContext *avctx) { -- cgit v1.2.3 From 7416d610362807848236ceff1bc6740dbc82842d Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 10 Feb 2012 10:51:43 -0800 Subject: tta: error out if samplerate is zero. Prevents a division by zero later on. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org --- libavcodec/tta.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'libavcodec/tta.c') diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 853f6a2aae..28d0e9b7e9 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -223,6 +223,9 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) if (s->channels == 0) { av_log(s->avctx, AV_LOG_ERROR, "Invalid number of channels\n"); return AVERROR_INVALIDDATA; + } else if (avctx->sample_rate == 0) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid samplerate\n"); + return AVERROR_INVALIDDATA; } switch(s->bps) { -- cgit v1.2.3