adpcm: check buffer size in IMA DK4 decoder before reading header.

Also use the post-header data size to control termination of the main decoding loop.

adpcm: check buffer size in IMA DK4 decoder before reading header.
Also use the post-header data size to control termination of the main decoding loop.
5c9eb4fa · Justin Ruggles · a57ea1a8 · 5c9eb4fa
Commit 5c9eb4fa authored Sep 10, 2011 by Justin Ruggles
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 1 deletion

adpcm.c libavcodec/adpcm.c +7 -1

No files found.
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -528,6 +528,12 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
        if (avctx->block_align != 0 && buf_size > avctx->block_align)
            buf_size = avctx->block_align;
+        n = buf_size - 4 * avctx->channels;
+        if (n < 0) {
+            av_log(avctx, AV_LOG_ERROR, "packet is too small\n");
+            return AVERROR(EINVAL);
+        }
        for (channel = 0; channel < avctx->channels; channel++) {
            cs = &c->status[channel];
            cs->predictor  = (int16_t)bytestream_get_le16(&src);
@@ -535,7 +541,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
            src++;
            *samples++ = cs->predictor;
        }
-        while (src < buf + buf_size) {
+        while (n-- > 0) {
            uint8_t v = *src++;
            *samples++ = adpcm_ima_expand_nibble(&c->status[0 ], v >> 4  , 3);
            *samples++ = adpcm_ima_expand_nibble(&c->status[st], v & 0x0F, 3);