From 39f4d329081732b24f5ad6ef222736f1453bbad2 Mon Sep 17 00:00:00 2001 From: Anssi Hannula Date: Sun, 9 Jan 2011 23:01:01 +0000 Subject: [PATCH] Fix reading over the end of the allocated buffer. Patch by Anssi Hannula, anssi d hannula a iki d fi Originally committed as revision 26291 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavcodec/dca.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index 868fe2f2b5..eda89aa0f3 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -219,6 +219,8 @@ static const int8_t dca_channel_reorder_nolfe_xch[][9] = { #define DCA_MAX_FRAME_SIZE 16384 #define DCA_MAX_EXSS_HEADER_SIZE 4096 +#define DCA_BUFFER_PADDING_SIZE 1024 + /** Bit allocation */ typedef struct { int offset; ///< code values offset @@ -315,7 +317,7 @@ typedef struct { DECLARE_ALIGNED(16, float, samples)[(DCA_PRIM_CHANNELS_MAX+1)*256]; const float *samples_chanptr[DCA_PRIM_CHANNELS_MAX+1]; - uint8_t dca_buffer[DCA_MAX_FRAME_SIZE + DCA_MAX_EXSS_HEADER_SIZE]; + uint8_t dca_buffer[DCA_MAX_FRAME_SIZE + DCA_MAX_EXSS_HEADER_SIZE + DCA_BUFFER_PADDING_SIZE]; int dca_buffer_size; ///< how much data is in the dca_buffer const int8_t* channel_order_tab; ///< channel reordering table, lfe and non lfe @@ -605,6 +607,9 @@ static int dca_subframe_header(DCAContext * s, int base_channel, int block_index /* Primary audio coding side information */ int j, k; + if (get_bits_left(&s->gb) < 0) + return -1; + if (!base_channel) { s->subsubframes[s->current_subframe] = get_bits(&s->gb, 2) + 1; s->partial_samples[s->current_subframe] = get_bits(&s->gb, 3); @@ -661,6 +666,9 @@ static int dca_subframe_header(DCAContext * s, int base_channel, int block_index } } + if (get_bits_left(&s->gb) < 0) + return -1; + for (j = base_channel; j < s->prim_channels; j++) { const uint32_t *scale_table; int scale_sum; @@ -696,6 +704,9 @@ static int dca_subframe_header(DCAContext * s, int base_channel, int block_index s->joint_huff[j] = get_bits(&s->gb, 3); } + if (get_bits_left(&s->gb) < 0) + return -1; + /* Scale factors for joint subband coding */ for (j = base_channel; j < s->prim_channels; j++) { int source_channel; @@ -1053,6 +1064,9 @@ static int dca_subsubframe(DCAContext * s, int base_channel, int block_index) quant_step_table = lossy_quant_d; for (k = base_channel; k < s->prim_channels; k++) { + if (get_bits_left(&s->gb) < 0) + return -1; + for (l = 0; l < s->vq_start_subband[k]; l++) { int m;