Commit 154b8bb8 authored by Ronald S. Bultje's avatar Ronald S. Bultje

amrwb: error out early if mode is invalid.

Prevents using the invalid mode as an index in a static array, which
would generate invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
parent 291c9b62
...@@ -1095,23 +1095,27 @@ static int amrwb_decode_frame(AVCodecContext *avctx, void *data, ...@@ -1095,23 +1095,27 @@ static int amrwb_decode_frame(AVCodecContext *avctx, void *data,
buf_out = (float *)ctx->avframe.data[0]; buf_out = (float *)ctx->avframe.data[0];
header_size = decode_mime_header(ctx, buf); header_size = decode_mime_header(ctx, buf);
if (ctx->fr_cur_mode > MODE_SID) {
av_log(avctx, AV_LOG_ERROR,
"Invalid mode %d\n", ctx->fr_cur_mode);
return AVERROR_INVALIDDATA;
}
expected_fr_size = ((cf_sizes_wb[ctx->fr_cur_mode] + 7) >> 3) + 1; expected_fr_size = ((cf_sizes_wb[ctx->fr_cur_mode] + 7) >> 3) + 1;
if (buf_size < expected_fr_size) { if (buf_size < expected_fr_size) {
av_log(avctx, AV_LOG_ERROR, av_log(avctx, AV_LOG_ERROR,
"Frame too small (%d bytes). Truncated file?\n", buf_size); "Frame too small (%d bytes). Truncated file?\n", buf_size);
*got_frame_ptr = 0; *got_frame_ptr = 0;
return buf_size; return AVERROR_INVALIDDATA;
} }
if (!ctx->fr_quality || ctx->fr_cur_mode > MODE_SID) if (!ctx->fr_quality || ctx->fr_cur_mode > MODE_SID)
av_log(avctx, AV_LOG_ERROR, "Encountered a bad or corrupted frame\n"); av_log(avctx, AV_LOG_ERROR, "Encountered a bad or corrupted frame\n");
if (ctx->fr_cur_mode == MODE_SID) /* Comfort noise frame */ if (ctx->fr_cur_mode == MODE_SID) { /* Comfort noise frame */
av_log_missing_feature(avctx, "SID mode", 1); av_log_missing_feature(avctx, "SID mode", 1);
if (ctx->fr_cur_mode >= MODE_SID)
return -1; return -1;
}
ff_amr_bit_reorder((uint16_t *) &ctx->frame, sizeof(AMRWBFrame), ff_amr_bit_reorder((uint16_t *) &ctx->frame, sizeof(AMRWBFrame),
buf + header_size, amr_bit_orderings_by_mode[ctx->fr_cur_mode]); buf + header_size, amr_bit_orderings_by_mode[ctx->fr_cur_mode]);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment