From 7f0926498c59f87c05fcdc1994d9701d9d5f5bd4 Mon Sep 17 00:00:00 2001 From: Uoti Urpala Date: Mon, 6 Aug 2012 21:22:37 +0300 Subject: [PATCH] ad_ffmpeg: add sanity check against decoder overreads The libavcodec Musepack SV8 decoder returned 2 bytes consumed for 1 byte input, which triggered a crash due to negative input packet size later. Add a sanity check to prevent crashes with this type of minor decoder overreads. Also add a check to parser consumed data. --- libmpcodecs/ad_ffmpeg.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libmpcodecs/ad_ffmpeg.c b/libmpcodecs/ad_ffmpeg.c index a20689eab8..c4d7c13941 100644 --- a/libmpcodecs/ad_ffmpeg.c +++ b/libmpcodecs/ad_ffmpeg.c @@ -291,6 +291,7 @@ static int decode_new_packet(struct sh_audio *sh) start = mpkt->buffer + mpkt->len - priv->previous_data_left; int consumed = ds_parse(sh->ds, &start, &insize, pts, 0); priv->previous_data_left -= consumed; + priv->previous_data_left = FFMAX(priv->previous_data_left, 0); } AVPacket pkt; @@ -314,8 +315,9 @@ static int decode_new_packet(struct sh_audio *sh) mp_msg(MSGT_DECAUDIO, MSGL_V, "lavc_audio: error\n"); return -1; } - if (!sh->parser) - priv->previous_data_left += insize - ret; + // The "insize >= ret" test is sanity check against decoder overreads + if (!sh->parser && insize >= ret) + priv->previous_data_left = insize - ret; if (!got_frame) return 0; /* An error is reported later from output format checking, but make