Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Contribute to GitLab
Sign in / Register
Toggle navigation
F
ffmpeg.wasm-core
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Linshizhi
ffmpeg.wasm-core
Commits
417364ce
Commit
417364ce
authored
Sep 12, 2011
by
Justin Ruggles
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
ws_snd: add some checks to prevent buffer overread or overwrite.
parent
2322ced8
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
28 additions
and
4 deletions
+28
-4
ws-snd1.c
libavcodec/ws-snd1.c
+28
-4
No files found.
libavcodec/ws-snd1.c
View file @
417364ce
...
@@ -61,6 +61,11 @@ static int ws_snd_decode_frame(AVCodecContext *avctx,
...
@@ -61,6 +61,11 @@ static int ws_snd_decode_frame(AVCodecContext *avctx,
if
(
!
buf_size
)
if
(
!
buf_size
)
return
0
;
return
0
;
if
(
buf_size
<
4
)
{
av_log
(
avctx
,
AV_LOG_ERROR
,
"packet is too small
\n
"
);
return
AVERROR
(
EINVAL
);
}
out_size
=
AV_RL16
(
&
buf
[
0
]);
out_size
=
AV_RL16
(
&
buf
[
0
]);
in_size
=
AV_RL16
(
&
buf
[
2
]);
in_size
=
AV_RL16
(
&
buf
[
2
]);
buf
+=
4
;
buf
+=
4
;
...
@@ -74,20 +79,37 @@ static int ws_snd_decode_frame(AVCodecContext *avctx,
...
@@ -74,20 +79,37 @@ static int ws_snd_decode_frame(AVCodecContext *avctx,
return
-
1
;
return
-
1
;
}
}
*
data_size
=
out_size
;
if
(
in_size
==
out_size
)
{
if
(
in_size
==
out_size
)
{
for
(
i
=
0
;
i
<
out_size
;
i
++
)
for
(
i
=
0
;
i
<
out_size
;
i
++
)
*
samples
++
=
*
buf
++
;
*
samples
++
=
*
buf
++
;
*
data_size
=
out_size
;
return
buf_size
;
return
buf_size
;
}
}
while
(
out_size
>
0
)
{
while
(
out_size
>
0
&&
buf
-
avpkt
->
data
<
buf_size
)
{
int
code
;
int
code
,
smp
,
size
;
uint8_t
count
;
uint8_t
count
;
code
=
(
*
buf
)
>>
6
;
code
=
(
*
buf
)
>>
6
;
count
=
(
*
buf
)
&
0x3F
;
count
=
(
*
buf
)
&
0x3F
;
buf
++
;
buf
++
;
/* make sure we don't write more than out_size samples */
switch
(
code
)
{
case
0
:
smp
=
4
;
break
;
case
1
:
smp
=
2
;
break
;
case
2
:
smp
=
(
count
&
0x20
)
?
1
:
count
+
1
;
break
;
default:
smp
=
count
+
1
;
break
;
}
if
(
out_size
<
smp
)
{
out_size
=
0
;
break
;
}
/* make sure we don't read past the input buffer */
size
=
((
code
==
2
&&
(
count
&
0x20
))
||
code
==
3
)
?
0
:
count
+
1
;
if
((
buf
-
avpkt
->
data
)
+
size
>
buf_size
)
break
;
switch
(
code
)
{
switch
(
code
)
{
case
0
:
/* ADPCM 2-bit */
case
0
:
/* ADPCM 2-bit */
for
(
count
++
;
count
>
0
;
count
--
)
{
for
(
count
++
;
count
>
0
;
count
--
)
{
...
@@ -144,6 +166,8 @@ static int ws_snd_decode_frame(AVCodecContext *avctx,
...
@@ -144,6 +166,8 @@ static int ws_snd_decode_frame(AVCodecContext *avctx,
}
}
}
}
*
data_size
=
samples
-
(
uint8_t
*
)
data
;
return
buf_size
;
return
buf_size
;
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
