mirror of
https://github.com/mpv-player/mpv
synced 2025-02-19 22:36:55 +00:00
ad_ffmpeg: add sanity check against decoder overreads
The libavcodec Musepack SV8 decoder returned 2 bytes consumed for 1 byte input, which triggered a crash due to negative input packet size later. Add a sanity check to prevent crashes with this type of minor decoder overreads. Also add a check to parser consumed data.
This commit is contained in:
Uoti Urpala
wm4
parent
202ea8214e
commit
7f0926498c
@ -291,6 +291,7 @@ static int decode_new_packet(struct sh_audio *sh)
|
|||||||
start = mpkt->buffer + mpkt->len - priv->previous_data_left;
|
start = mpkt->buffer + mpkt->len - priv->previous_data_left;
|
||||||
int consumed = ds_parse(sh->ds, &start, &insize, pts, 0);
|
int consumed = ds_parse(sh->ds, &start, &insize, pts, 0);
|
||||||
priv->previous_data_left -= consumed;
|
priv->previous_data_left -= consumed;
|
||||||
|
priv->previous_data_left = FFMAX(priv->previous_data_left, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
AVPacket pkt;
|
AVPacket pkt;
|
||||||
@ -314,8 +315,9 @@ static int decode_new_packet(struct sh_audio *sh)
|
|||||||
mp_msg(MSGT_DECAUDIO, MSGL_V, "lavc_audio: error\n");
|
mp_msg(MSGT_DECAUDIO, MSGL_V, "lavc_audio: error\n");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
if (!sh->parser)
|
// The "insize >= ret" test is sanity check against decoder overreads
|
||||||
priv->previous_data_left += insize - ret;
|
if (!sh->parser && insize >= ret)
|
||||||
|
priv->previous_data_left = insize - ret;
|
||||||
if (!got_frame)
|
if (!got_frame)
|
||||||
return 0;
|
return 0;
|
||||||
/* An error is reported later from output format checking, but make
|
/* An error is reported later from output format checking, but make
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user