Fix input buffer size check in adpcm_ea decoder.

Unfortunately the output buffer size check assumes that the
input buffer is never over-consumed, thus this actually
also allowed to write outside the output buffer if "lucky".

Based on:
git.videolan.org/ffmpeg.git
commit 701d0eb185
pull/2/head
Reimar Döffinger 13 years ago committed by Justin Ruggles
parent c2d3f56107
commit ffe92ff9f0
  1. 12
      libavcodec/adpcm.c

@ -633,11 +633,17 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
} }
break; break;
case CODEC_ID_ADPCM_EA: case CODEC_ID_ADPCM_EA:
if (buf_size < 4 || AV_RL32(src) >= ((buf_size - 12) * 2)) { /* Each EA ADPCM frame has a 12-byte header followed by 30-byte pieces,
src += buf_size; each coding 28 stereo samples. */
break; if (buf_size < 12) {
av_log(avctx, AV_LOG_ERROR, "frame too small\n");
return AVERROR(EINVAL);
} }
samples_in_chunk = AV_RL32(src); samples_in_chunk = AV_RL32(src);
if (samples_in_chunk / 28 > (buf_size - 12) / 30) {
av_log(avctx, AV_LOG_ERROR, "invalid frame\n");
return AVERROR(EINVAL);
}
src += 4; src += 4;
current_left_sample = (int16_t)bytestream_get_le16(&src); current_left_sample = (int16_t)bytestream_get_le16(&src);
previous_left_sample = (int16_t)bytestream_get_le16(&src); previous_left_sample = (int16_t)bytestream_get_le16(&src);

Loading…
Cancel
Save