adpcm: fix out of bound reads due to integer overflow

Signed-off-by: Janne Grunau <janne-libav@jannau.net>

adpcm: fix out of bound reads due to integer overflow
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
c7f89064 · Laurent Aimar · Janne Grunau · 2475f1a8 · c7f89064
Commit c7f89064 authored Sep 30, 2011 by Laurent Aimar Committed by Janne Grunau Oct 10, 2011
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

adpcm.c libavcodec/adpcm.c +4 -2

No files found.
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -630,10 +630,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
            buf_size -= 128;
        }
        break;
-    case CODEC_ID_ADPCM_IMA_EA_EACS:
+    case CODEC_ID_ADPCM_IMA_EA_EACS: {
+        unsigned header_size = 4 + (8<<st);
        samples_in_chunk = bytestream_get_le32(&src) >> (1-st);

-        if (samples_in_chunk > buf_size-4-(8<<st)) {
+        if (buf_size < header_size || samples_in_chunk > buf_size - header_size) {
            src += buf_size - 4;
            break;
        }
@@ -648,6 +649,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
            *samples++ = adpcm_ima_expand_nibble(&c->status[st], *src&0x0F, 3);
        }
        break;
+    }
    case CODEC_ID_ADPCM_IMA_EA_SEAD:
        for (; src < buf+buf_size; src++) {
            *samples++ = adpcm_ima_expand_nibble(&c->status[0], src[0] >> 4, 6);