RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2024-12-26 01:02:33 +00:00
Code Issues Projects Releases Wiki Activity

avcodec/adpcm: Check for overreads

Browse Source 
See: vlc ticket 14649
Reported-by: carl
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2015-06-04 22:34:12 +02:00
parent a34d902325
commit 3c803ed9cb
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
libavcodec/adpcm.c
View File

@ -578,6 +578,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
case AV_CODEC_ID_ADPCM_IMA_DK4: case AV_CODEC_ID_ADPCM_IMA_DK4:
if (avctx->block_align > 0) if (avctx->block_align > 0)
buf_size = FFMIN(buf_size, avctx->block_align); buf_size = FFMIN(buf_size, avctx->block_align);
if (buf_size < 4 * ch)
return AVERROR_INVALIDDATA;
nb_samples = 1 + (buf_size - 4 * ch) * 2 / ch; nb_samples = 1 + (buf_size - 4 * ch) * 2 / ch;
break; break;
case AV_CODEC_ID_ADPCM_IMA_RAD: case AV_CODEC_ID_ADPCM_IMA_RAD:
@ -591,13 +593,15 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
int bsamples = ff_adpcm_ima_block_samples[avctx->bits_per_coded_sample - 2]; int bsamples = ff_adpcm_ima_block_samples[avctx->bits_per_coded_sample - 2];
if (avctx->block_align > 0) if (avctx->block_align > 0)
buf_size = FFMIN(buf_size, avctx->block_align); buf_size = FFMIN(buf_size, avctx->block_align);
if (buf_size < 4 * ch)
return AVERROR_INVALIDDATA;
nb_samples = 1 + (buf_size - 4 * ch) / (bsize * ch) * bsamples; nb_samples = 1 + (buf_size - 4 * ch) / (bsize * ch) * bsamples;
break; break;
} }
case AV_CODEC_ID_ADPCM_MS: case AV_CODEC_ID_ADPCM_MS:
if (avctx->block_align > 0) if (avctx->block_align > 0)
buf_size = FFMIN(buf_size, avctx->block_align); buf_size = FFMIN(buf_size, avctx->block_align);
nb_samples = 2 + (buf_size - 7 * ch) * 2 / ch; nb_samples = (buf_size - 6 * ch) * 2 / ch;
break; break;
case AV_CODEC_ID_ADPCM_SBPRO_2: case AV_CODEC_ID_ADPCM_SBPRO_2:
case AV_CODEC_ID_ADPCM_SBPRO_3: case AV_CODEC_ID_ADPCM_SBPRO_3:
@ -610,6 +614,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
case AV_CODEC_ID_ADPCM_SBPRO_4: samples_per_byte = 2; break; case AV_CODEC_ID_ADPCM_SBPRO_4: samples_per_byte = 2; break;
} }
if (!s->status[0].step_index) { if (!s->status[0].step_index) {
if (buf_size < ch)
return AVERROR_INVALIDDATA;
nb_samples++; nb_samples++;
buf_size -= ch; buf_size -= ch;
} }
@ -1528,6 +1534,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
*got_frame_ptr = 1; *got_frame_ptr = 1;
if (avpkt->size < bytestream2_tell(&gb)) {
av_log(avctx, AV_LOG_ERROR, "Overread of %d < %d\n", avpkt->size, bytestream2_tell(&gb));
return avpkt->size;
}
return bytestream2_tell(&gb); return bytestream2_tell(&gb);
} }