wavpack: check pointer to avoid overreading input buffer

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

wavpack: check pointer to avoid overreading input buffer
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
8d06be6b · Michael Niedermayer · 85a4dbeb · 8d06be6b
Commit 8d06be6b authored Jan 11, 2013 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

wavpack.c libavcodec/wavpack.c +2 -2

No files found.
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -906,7 +906,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
                continue;
            }
            t = 0;
-            for (i = s->terms - 1; (i >= 0) && (t < size); i--) {
+            for (i = s->terms - 1; (i >= 0) && (t < size) && buf <= buf_end; i--) {
                if (s->decorr[i].value > 8) {
                    s->decorr[i].samplesA[0] = wp_exp2(AV_RL16(buf)); buf += 2;
                    s->decorr[i].samplesA[1] = wp_exp2(AV_RL16(buf)); buf += 2;
@@ -921,7 +921,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
                    s->decorr[i].samplesB[0] = wp_exp2(AV_RL16(buf)); buf += 2;
                    t += 4;
                } else {
-                    for (j = 0; j < s->decorr[i].value; j++) {
+                    for (j = 0; j < s->decorr[i].value && buf+1<buf_end; j++) {
                        s->decorr[i].samplesA[j] = wp_exp2(AV_RL16(buf)); buf += 2;
                        if (s->stereo_in) {
                            s->decorr[i].samplesB[j] = wp_exp2(AV_RL16(buf)); buf += 2;