Commit f09bbb8f authored by Paul B Mahol's avatar Paul B Mahol

avformat/ac3dec: always skip junk bytes before sync bytes

Fixes #7278.
parent 67cdfcf6
...@@ -1467,7 +1467,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, ...@@ -1467,7 +1467,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
int buf_size, full_buf_size = avpkt->size; int buf_size, full_buf_size = avpkt->size;
AC3DecodeContext *s = avctx->priv_data; AC3DecodeContext *s = avctx->priv_data;
int blk, ch, err, offset, ret; int blk, ch, err, offset, ret;
int got_independent_frame = 0; int skip = 0, got_independent_frame = 0;
const uint8_t *channel_map; const uint8_t *channel_map;
uint8_t extended_channel_map[EAC3_MAX_CHANNELS]; uint8_t extended_channel_map[EAC3_MAX_CHANNELS];
const SHORTFLOAT *output[AC3_MAX_CHANNELS]; const SHORTFLOAT *output[AC3_MAX_CHANNELS];
...@@ -1477,6 +1477,14 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, ...@@ -1477,6 +1477,14 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
s->superframe_size = 0; s->superframe_size = 0;
buf_size = full_buf_size; buf_size = full_buf_size;
while (buf_size > 2) {
if (AV_RB16(buf) != 0x770B && AV_RL16(buf) != 0x770B) {
buf += 1;
buf_size -= 1;
continue;
}
break;
}
/* copy input buffer to decoder context to avoid reading past the end /* copy input buffer to decoder context to avoid reading past the end
of the buffer, which can be caused by a damaged input stream. */ of the buffer, which can be caused by a damaged input stream. */
if (buf_size >= 2 && AV_RB16(buf) == 0x770B) { if (buf_size >= 2 && AV_RB16(buf) == 0x770B) {
...@@ -1637,6 +1645,11 @@ dependent_frame: ...@@ -1637,6 +1645,11 @@ dependent_frame:
AC3HeaderInfo hdr; AC3HeaderInfo hdr;
int err; int err;
if (buf_size - s->frame_size <= 16) {
skip = buf_size - s->frame_size;
goto skip;
}
if ((ret = init_get_bits8(&s->gbc, buf + s->frame_size, buf_size - s->frame_size)) < 0) if ((ret = init_get_bits8(&s->gbc, buf + s->frame_size, buf_size - s->frame_size)) < 0)
return ret; return ret;
...@@ -1657,6 +1670,7 @@ dependent_frame: ...@@ -1657,6 +1670,7 @@ dependent_frame:
} }
} }
} }
skip:
frame->decode_error_flags = err ? FF_DECODE_ERROR_INVALID_BITSTREAM : 0; frame->decode_error_flags = err ? FF_DECODE_ERROR_INVALID_BITSTREAM : 0;
...@@ -1796,9 +1810,9 @@ dependent_frame: ...@@ -1796,9 +1810,9 @@ dependent_frame:
*got_frame_ptr = 1; *got_frame_ptr = 1;
if (!s->superframe_size) if (!s->superframe_size)
return FFMIN(full_buf_size, s->frame_size); return FFMIN(full_buf_size, s->frame_size + skip);
return FFMIN(full_buf_size, s->superframe_size); return FFMIN(full_buf_size, s->superframe_size + skip);
} }
/** /**
......
...@@ -47,7 +47,7 @@ static int ac3_eac3_probe(AVProbeData *p, enum AVCodecID expected_codec_id) ...@@ -47,7 +47,7 @@ static int ac3_eac3_probe(AVProbeData *p, enum AVCodecID expected_codec_id)
uint16_t frame_size; uint16_t frame_size;
int i, ret; int i, ret;
if(!memcmp(buf2, "\x1\x10\0\0\0\0\0\0", 8)) { if(!memcmp(buf2, "\x1\x10", 2)) {
if (buf2 + 16 > end) if (buf2 + 16 > end)
break; break;
buf2+=16; buf2+=16;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment