RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-03-25 04:19:05 +00:00
Code Issues Projects Releases Wiki Activity

ws_snd: add some checks to prevent buffer overread or overwrite.

Browse Source
This commit is contained in:
Justin Ruggles 2011-09-12 09:41:06 -04:00
parent 2322ced8da
commit 417364ce1f
1 changed files with 28 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
libavcodec/ws-snd1.c
View File

@ -61,6 +61,11 @@ static int ws_snd_decode_frame(AVCodecContext *avctx,
if (!buf_size) if (!buf_size)
return 0; return 0;
if (buf_size < 4) {
av_log(avctx, AV_LOG_ERROR, "packet is too small\n");
return AVERROR(EINVAL);
}
out_size = AV_RL16(&buf[0]); out_size = AV_RL16(&buf[0]);
in_size = AV_RL16(&buf[2]); in_size = AV_RL16(&buf[2]);
buf += 4; buf += 4;
@ -74,20 +79,37 @@ static int ws_snd_decode_frame(AVCodecContext *avctx,
return -1; return -1;
} }
*data_size = out_size;
if (in_size == out_size) { if (in_size == out_size) {
for (i = 0; i < out_size; i++) for (i = 0; i < out_size; i++)
*samples++ = *buf++; *samples++ = *buf++;
*data_size = out_size;
return buf_size; return buf_size;
} }
while (out_size > 0) { while (out_size > 0 && buf - avpkt->data < buf_size) {
int code; int code, smp, size;
uint8_t count; uint8_t count;
code = (*buf) >> 6; code = (*buf) >> 6;
count = (*buf) & 0x3F; count = (*buf) & 0x3F;
buf++; buf++;
/* make sure we don't write more than out_size samples */
switch (code) {
case 0: smp = 4; break;
case 1: smp = 2; break;
case 2: smp = (count & 0x20) ? 1 : count + 1; break;
default: smp = count + 1; break;
}
if (out_size < smp) {
out_size = 0;
break;
}
/* make sure we don't read past the input buffer */
size = ((code == 2 && (count & 0x20)) || code == 3) ? 0 : count + 1;
if ((buf - avpkt->data) + size > buf_size)
break;
switch(code) { switch(code) {
case 0: /* ADPCM 2-bit */ case 0: /* ADPCM 2-bit */
for (count++; count > 0; count--) { for (count++; count > 0; count--) {
@ -144,6 +166,8 @@ static int ws_snd_decode_frame(AVCodecContext *avctx,
} }
} }
*data_size = samples - (uint8_t *)data;
return buf_size; return buf_size;
} }