Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Contribute to GitLab
Sign in / Register
Toggle navigation
F
ffmpeg.wasm-core
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Linshizhi
ffmpeg.wasm-core
Commits
a4c32c9a
Commit
a4c32c9a
authored
Oct 11, 2011
by
Justin Ruggles
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
apedec: check for input buffer overflow while reading frame header
parent
fd244ae3
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
28 additions
and
6 deletions
+28
-6
apedec.c
libavcodec/apedec.c
+28
-6
No files found.
libavcodec/apedec.c
View file @
a4c32c9a
...
...
@@ -471,9 +471,11 @@ static void entropy_decode(APEContext *ctx, int blockstodecode, int stereo)
range_dec_normalize
(
ctx
);
/* normalize to use up all bytes */
}
static
void
init_entropy_decoder
(
APEContext
*
ctx
)
static
int
init_entropy_decoder
(
APEContext
*
ctx
)
{
/* Read the CRC */
if
(
ctx
->
data_end
-
ctx
->
ptr
<
6
)
return
AVERROR_INVALIDDATA
;
ctx
->
CRC
=
bytestream_get_be32
(
&
ctx
->
ptr
);
/* Read the frame flags if they exist */
...
...
@@ -481,6 +483,8 @@ static void init_entropy_decoder(APEContext *ctx)
if
((
ctx
->
fileversion
>
3820
)
&&
(
ctx
->
CRC
&
0x80000000
))
{
ctx
->
CRC
&=
~
0x80000000
;
if
(
ctx
->
data_end
-
ctx
->
ptr
<
6
)
return
AVERROR_INVALIDDATA
;
ctx
->
frameflags
=
bytestream_get_be32
(
&
ctx
->
ptr
);
}
...
...
@@ -497,6 +501,8 @@ static void init_entropy_decoder(APEContext *ctx)
ctx
->
ptr
++
;
range_start_decoding
(
ctx
);
return
0
;
}
static
const
int32_t
initial_coeffs
[
4
]
=
{
...
...
@@ -738,10 +744,11 @@ static void ape_apply_filters(APEContext *ctx, int32_t *decoded0,
}
}
static
void
init_frame_decoder
(
APEContext
*
ctx
)
static
int
init_frame_decoder
(
APEContext
*
ctx
)
{
int
i
;
init_entropy_decoder
(
ctx
);
int
i
,
ret
;
if
((
ret
=
init_entropy_decoder
(
ctx
))
<
0
)
return
ret
;
init_predictor_decoder
(
ctx
);
for
(
i
=
0
;
i
<
APE_FILTER_LEVELS
;
i
++
)
{
...
...
@@ -750,6 +757,7 @@ static void init_frame_decoder(APEContext *ctx)
init_filter
(
ctx
,
ctx
->
filters
[
i
],
ctx
->
filterbuf
[
i
],
ape_filter_orders
[
ctx
->
fset
][
i
]);
}
return
0
;
}
static
void
ape_unpack_mono
(
APEContext
*
ctx
,
int
count
)
...
...
@@ -825,7 +833,14 @@ static int ape_decode_frame(AVCodecContext *avctx,
if
(
!
s
->
samples
){
uint32_t
offset
;
void
*
tmp_data
=
av_realloc
(
s
->
data
,
(
buf_size
+
3
)
&
~
3
);
void
*
tmp_data
;
if
(
buf_size
<
8
)
{
av_log
(
avctx
,
AV_LOG_ERROR
,
"Packet is too small
\n
"
);
return
AVERROR_INVALIDDATA
;
}
tmp_data
=
av_realloc
(
s
->
data
,
(
buf_size
+
3
)
&
~
3
);
if
(
!
tmp_data
)
return
AVERROR
(
ENOMEM
);
s
->
data
=
tmp_data
;
...
...
@@ -840,6 +855,10 @@ static int ape_decode_frame(AVCodecContext *avctx,
s
->
data
=
NULL
;
return
AVERROR_INVALIDDATA
;
}
if
(
s
->
data_end
-
s
->
ptr
<
offset
)
{
av_log
(
avctx
,
AV_LOG_ERROR
,
"Packet is too small
\n
"
);
return
AVERROR_INVALIDDATA
;
}
s
->
ptr
+=
offset
;
if
(
!
nblocks
||
nblocks
>
INT_MAX
)
{
...
...
@@ -852,7 +871,10 @@ static int ape_decode_frame(AVCodecContext *avctx,
memset
(
s
->
decoded1
,
0
,
sizeof
(
s
->
decoded1
));
/* Initialize the frame decoder */
init_frame_decoder
(
s
);
if
(
init_frame_decoder
(
s
)
<
0
)
{
av_log
(
avctx
,
AV_LOG_ERROR
,
"Error reading frame header
\n
"
);
return
AVERROR_INVALIDDATA
;
}
}
if
(
!
s
->
data
)
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
