apedec: do not keep incrementing the input data pointer past the end of the

buffer during entropy decoding. The pointer address could overflow, which would likely segfault. Instead set the context error flag to indicate that the decoder tried to read past the end of the packet data.

apedec: do not keep incrementing the input data pointer past the end of the
buffer during entropy decoding. The pointer address could overflow, which would likely segfault. Instead set the context error flag to indicate that the decoder tried to read past the end of the packet data.
5b8009f4 · Justin Ruggles · a4c32c9a · 5b8009f4
Commit 5b8009f4 authored Oct 11, 2011 by Justin Ruggles
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 3 deletions

apedec.c libavcodec/apedec.c +6 -3

No files found.
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -247,9 +247,12 @@ static inline void range_dec_normalize(APEContext *ctx)
 {
    while (ctx->rc.range <= BOTTOM_VALUE) {
        ctx->rc.buffer <<= 8;
-        if(ctx->ptr < ctx->data_end)
+        if(ctx->ptr < ctx->data_end) {
            ctx->rc.buffer += *ctx->ptr;
-        ctx->ptr++;
+            ctx->ptr++;
+        } else {
+            ctx->error = 1;
+        }
        ctx->rc.low    = (ctx->rc.low << 8)    | ((ctx->rc.buffer >> 1) & 0xFF);
        ctx->rc.range  <<= 8;
    }
@@ -893,7 +896,7 @@ static int ape_decode_frame(AVCodecContext *avctx,
        ape_unpack_stereo(s, blockstodecode);
    emms_c();

-    if(s->error || s->ptr > s->data_end){
+    if (s->error) {
        s->samples=0;
        av_log(avctx, AV_LOG_ERROR, "Error decoding frame\n");
        return AVERROR_INVALIDDATA;