Commit 94bb1ce8 authored by Andreas Cadhalpun's avatar Andreas Cadhalpun Committed by Anton Khirnov

alsdec: check sample pointer range in revert_channel_correlation

Also change the type of begin, end and smp to ptrdiff_t to make the
comparison well-defined.

CC: libav-stable@libav.org
Signed-off-by: 's avatarAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: 's avatarAnton Khirnov <anton@khirnov.net>
parent 110f7f35
...@@ -1223,6 +1223,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, ...@@ -1223,6 +1223,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
ALSChannelData *ch = cd[c]; ALSChannelData *ch = cd[c];
unsigned int dep = 0; unsigned int dep = 0;
unsigned int channels = ctx->avctx->channels; unsigned int channels = ctx->avctx->channels;
unsigned int channel_size = ctx->sconf.frame_length + ctx->sconf.max_order;
if (reverted[c]) if (reverted[c])
return 0; return 0;
...@@ -1254,9 +1255,9 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, ...@@ -1254,9 +1255,9 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
dep = 0; dep = 0;
while (!ch[dep].stop_flag) { while (!ch[dep].stop_flag) {
unsigned int smp; ptrdiff_t smp;
unsigned int begin = 1; ptrdiff_t begin = 1;
unsigned int end = bd->block_length - 1; ptrdiff_t end = bd->block_length - 1;
int64_t y; int64_t y;
int32_t *master = ctx->raw_samples[ch[dep].master_channel] + offset; int32_t *master = ctx->raw_samples[ch[dep].master_channel] + offset;
...@@ -1270,6 +1271,15 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, ...@@ -1270,6 +1271,15 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
end -= t; end -= t;
} }
if (FFMIN(begin - 1, begin - 1 + t) < ctx->raw_buffer - master ||
FFMAX(end + 1, end + 1 + t) > ctx->raw_buffer + channels * channel_size - master) {
av_log(ctx->avctx, AV_LOG_ERROR,
"sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n",
master + FFMIN(begin - 1, begin - 1 + t), master + FFMAX(end + 1, end + 1 + t),
ctx->raw_buffer, ctx->raw_buffer + channels * channel_size);
return AVERROR_INVALIDDATA;
}
for (smp = begin; smp < end; smp++) { for (smp = begin; smp < end; smp++) {
y = (1 << 6) + y = (1 << 6) +
MUL64(ch[dep].weighting[0], master[smp - 1 ]) + MUL64(ch[dep].weighting[0], master[smp - 1 ]) +
...@@ -1282,6 +1292,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, ...@@ -1282,6 +1292,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
bd->raw_samples[smp] += y >> 7; bd->raw_samples[smp] += y >> 7;
} }
} else { } else {
if (begin - 1 < ctx->raw_buffer - master ||
end + 1 > ctx->raw_buffer + channels * channel_size - master) {
av_log(ctx->avctx, AV_LOG_ERROR,
"sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n",
master + begin - 1, master + end + 1,
ctx->raw_buffer, ctx->raw_buffer + channels * channel_size);
return AVERROR_INVALIDDATA;
}
for (smp = begin; smp < end; smp++) { for (smp = begin; smp < end; smp++) {
y = (1 << 6) + y = (1 << 6) +
MUL64(ch[dep].weighting[0], master[smp - 1]) + MUL64(ch[dep].weighting[0], master[smp - 1]) +
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment