RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-03-03 02:58:02 +00:00
Code Issues Projects Releases Wiki Activity

check validity of pointer srcC

Browse Source 
Originally committed as revision 16973 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Stefan Gehrer 2009-02-03 17:56:24 +00:00
parent 61eb8cc420
commit cc55c46498
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
libavcodec/adpcm.c
View File

@ -1285,6 +1285,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
unsigned int channel; unsigned int channel;
uint16_t *samplesC; uint16_t *samplesC;
const uint8_t *srcC; const uint8_t *srcC;
const uint8_t *src_end = buf + buf_size;
samples_in_chunk = (big_endian ? bytestream_get_be32(&src) samples_in_chunk = (big_endian ? bytestream_get_be32(&src)
: bytestream_get_le32(&src)) / 28; : bytestream_get_le32(&src)) / 28;
@ -1295,9 +1296,12 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
} }
for (channel=0; channel<avctx->channels; channel++) { for (channel=0; channel<avctx->channels; channel++) {
srcC = src + (avctx->channels-channel) * 4; int32_t offset = (big_endian ? bytestream_get_be32(&src)
srcC += (big_endian ? bytestream_get_be32(&src) : bytestream_get_le32(&src))
: bytestream_get_le32(&src)); + (avctx->channels-channel-1) * 4;
if ((offset < 0) || (offset >= src_end - src - 4)) break;
srcC = src + offset;
samplesC = samples + channel; samplesC = samples + channel;
if (avctx->codec->id == CODEC_ID_ADPCM_EA_R1) { if (avctx->codec->id == CODEC_ID_ADPCM_EA_R1) {
@ -1311,6 +1315,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
for (count1=0; count1<samples_in_chunk; count1++) { for (count1=0; count1<samples_in_chunk; count1++) {
if (*srcC == 0xEE) { /* only seen in R2 and R3 */ if (*srcC == 0xEE) { /* only seen in R2 and R3 */
srcC++; srcC++;
if (srcC > src_end - 30*2) break;
current_sample = (int16_t)bytestream_get_be16(&srcC); current_sample = (int16_t)bytestream_get_be16(&srcC);
previous_sample = (int16_t)bytestream_get_be16(&srcC); previous_sample = (int16_t)bytestream_get_be16(&srcC);
@ -1323,6 +1328,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
coeff2 = ea_adpcm_table[(*srcC>>4) + 4]; coeff2 = ea_adpcm_table[(*srcC>>4) + 4];
shift = (*srcC++ & 0x0F) + 8; shift = (*srcC++ & 0x0F) + 8;
if (srcC > src_end - 14) break;
for (count2=0; count2<28; count2++) { for (count2=0; count2<28; count2++) {
if (count2 & 1) if (count2 & 1)
next_sample = (int32_t)((*srcC++ & 0x0F) << 28) >> shift; next_sample = (int32_t)((*srcC++ & 0x0F) << 28) >> shift;