Commit 3c803ed9 authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/adpcm: Check for overreads

See: vlc ticket 14649
Reported-by: carl
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent a34d9023
...@@ -578,6 +578,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb, ...@@ -578,6 +578,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
case AV_CODEC_ID_ADPCM_IMA_DK4: case AV_CODEC_ID_ADPCM_IMA_DK4:
if (avctx->block_align > 0) if (avctx->block_align > 0)
buf_size = FFMIN(buf_size, avctx->block_align); buf_size = FFMIN(buf_size, avctx->block_align);
if (buf_size < 4 * ch)
return AVERROR_INVALIDDATA;
nb_samples = 1 + (buf_size - 4 * ch) * 2 / ch; nb_samples = 1 + (buf_size - 4 * ch) * 2 / ch;
break; break;
case AV_CODEC_ID_ADPCM_IMA_RAD: case AV_CODEC_ID_ADPCM_IMA_RAD:
...@@ -591,13 +593,15 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb, ...@@ -591,13 +593,15 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
int bsamples = ff_adpcm_ima_block_samples[avctx->bits_per_coded_sample - 2]; int bsamples = ff_adpcm_ima_block_samples[avctx->bits_per_coded_sample - 2];
if (avctx->block_align > 0) if (avctx->block_align > 0)
buf_size = FFMIN(buf_size, avctx->block_align); buf_size = FFMIN(buf_size, avctx->block_align);
if (buf_size < 4 * ch)
return AVERROR_INVALIDDATA;
nb_samples = 1 + (buf_size - 4 * ch) / (bsize * ch) * bsamples; nb_samples = 1 + (buf_size - 4 * ch) / (bsize * ch) * bsamples;
break; break;
} }
case AV_CODEC_ID_ADPCM_MS: case AV_CODEC_ID_ADPCM_MS:
if (avctx->block_align > 0) if (avctx->block_align > 0)
buf_size = FFMIN(buf_size, avctx->block_align); buf_size = FFMIN(buf_size, avctx->block_align);
nb_samples = 2 + (buf_size - 7 * ch) * 2 / ch; nb_samples = (buf_size - 6 * ch) * 2 / ch;
break; break;
case AV_CODEC_ID_ADPCM_SBPRO_2: case AV_CODEC_ID_ADPCM_SBPRO_2:
case AV_CODEC_ID_ADPCM_SBPRO_3: case AV_CODEC_ID_ADPCM_SBPRO_3:
...@@ -610,6 +614,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb, ...@@ -610,6 +614,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
case AV_CODEC_ID_ADPCM_SBPRO_4: samples_per_byte = 2; break; case AV_CODEC_ID_ADPCM_SBPRO_4: samples_per_byte = 2; break;
} }
if (!s->status[0].step_index) { if (!s->status[0].step_index) {
if (buf_size < ch)
return AVERROR_INVALIDDATA;
nb_samples++; nb_samples++;
buf_size -= ch; buf_size -= ch;
} }
...@@ -1528,6 +1534,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, ...@@ -1528,6 +1534,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
*got_frame_ptr = 1; *got_frame_ptr = 1;
if (avpkt->size < bytestream2_tell(&gb)) {
av_log(avctx, AV_LOG_ERROR, "Overread of %d < %d\n", avpkt->size, bytestream2_tell(&gb));
return avpkt->size;
}
return bytestream2_tell(&gb); return bytestream2_tell(&gb);
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment