From cc55c464987c0bfceef32efffd73069509ea784c Mon Sep 17 00:00:00 2001 From: Stefan Gehrer Date: Tue, 3 Feb 2009 17:56:24 +0000 Subject: [PATCH] check validity of pointer srcC Originally committed as revision 16973 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavcodec/adpcm.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 5ccddc653d..415ec99b3d 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1285,6 +1285,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, unsigned int channel; uint16_t *samplesC; const uint8_t *srcC; + const uint8_t *src_end = buf + buf_size; samples_in_chunk = (big_endian ? bytestream_get_be32(&src) : bytestream_get_le32(&src)) / 28; @@ -1295,9 +1296,12 @@ static int adpcm_decode_frame(AVCodecContext *avctx, } for (channel=0; channelchannels; channel++) { - srcC = src + (avctx->channels-channel) * 4; - srcC += (big_endian ? bytestream_get_be32(&src) - : bytestream_get_le32(&src)); + int32_t offset = (big_endian ? bytestream_get_be32(&src) + : bytestream_get_le32(&src)) + + (avctx->channels-channel-1) * 4; + + if ((offset < 0) || (offset >= src_end - src - 4)) break; + srcC = src + offset; samplesC = samples + channel; if (avctx->codec->id == CODEC_ID_ADPCM_EA_R1) { @@ -1311,6 +1315,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, for (count1=0; count1 src_end - 30*2) break; current_sample = (int16_t)bytestream_get_be16(&srcC); previous_sample = (int16_t)bytestream_get_be16(&srcC); @@ -1323,6 +1328,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, coeff2 = ea_adpcm_table[(*srcC>>4) + 4]; shift = (*srcC++ & 0x0F) + 8; + if (srcC > src_end - 14) break; for (count2=0; count2<28; count2++) { if (count2 & 1) next_sample = (int32_t)((*srcC++ & 0x0F) << 28) >> shift;