RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

apedec: do not keep incrementing the input data pointer past the end of the 

buffer during entropy decoding.

The pointer address could overflow, which would likely segfault. Instead set
the context error flag to indicate that the decoder tried to read past the
end of the packet data.
This commit is contained in:
Justin Ruggles 2011-10-11 14:12:54 -04:00
parent a4c32c9a63
commit 5b8009f4c8
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
libavcodec/apedec.c
View File

@ -247,9 +247,12 @@ static inline void range_dec_normalize(APEContext *ctx)
{
while (ctx->rc.range <= BOTTOM_VALUE) {
ctx->rc.buffer <<= 8;
if(ctx->ptr < ctx->data_end)
if(ctx->ptr < ctx->data_end) {
ctx->rc.buffer += *ctx->ptr;
ctx->ptr++;
ctx->ptr++;
} else {
ctx->error = 1;
}
ctx->rc.low = (ctx->rc.low << 8) | ((ctx->rc.buffer >> 1) & 0xFF);
ctx->rc.range <<= 8;
}
@ -893,7 +896,7 @@ static int ape_decode_frame(AVCodecContext *avctx,
ape_unpack_stereo(s, blockstodecode);
emms_c();
if(s->error || s->ptr > s->data_end){
if (s->error) {
s->samples=0;
av_log(avctx, AV_LOG_ERROR, "Error decoding frame\n");
return AVERROR_INVALIDDATA;