ad_ffmpeg: add sanity check against decoder overreads

The libavcodec Musepack SV8 decoder returned 2 bytes consumed for 1 byte input, which triggered a crash due to negative input packet size later. Add a sanity check to prevent crashes with this type of minor decoder overreads. Also add a check to parser consumed data.
2025-02-16 20:27:23 +00:00 · 2012-08-06 21:22:37 +03:00 · 2012-08-06 21:22:37 +03:00 · 7f0926498c
commit 7f0926498c
parent 202ea8214e
1 changed files with 4 additions and 2 deletions
--- a/libmpcodecs/ad_ffmpeg.c
+++ b/libmpcodecs/ad_ffmpeg.c
@ -291,6 +291,7 @@ static int decode_new_packet(struct sh_audio *sh)
        start = mpkt->buffer + mpkt->len - priv->previous_data_left;
        int consumed = ds_parse(sh->ds, &start, &insize, pts, 0);
        priv->previous_data_left -= consumed;
+        priv->previous_data_left = FFMAX(priv->previous_data_left, 0);
    }

    AVPacket pkt;
@ -314,8 +315,9 @@ static int decode_new_packet(struct sh_audio *sh)
        mp_msg(MSGT_DECAUDIO, MSGL_V, "lavc_audio: error\n");
        return -1;
    }
-    if (!sh->parser)
-        priv->previous_data_left += insize - ret;
+    // The "insize >= ret" test is sanity check against decoder overreads
+    if (!sh->parser && insize >= ret)
+        priv->previous_data_left = insize - ret;
    if (!got_frame)
        return 0;
    /* An error is reported later from output format checking, but make