alsdec: validate time diff index

If begin is smaller than t, the subtraction 'begin -= t' wraps around, because begin is unsigned. The same applies for end < t. This causes segmentation faults. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

alsdec: validate time diff index
If begin is smaller than t, the subtraction 'begin -= t' wraps around, because begin is unsigned. The same applies for end < t. This causes segmentation faults. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
faf9fe2c · Andreas Cadhalpun · Michael Niedermayer · 5cd21693 · faf9fe2c
Commit faf9fe2c authored Apr 18, 2015 by Andreas Cadhalpun Committed by Michael Niedermayer Apr 18, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

alsdec.c libavcodec/alsdec.c +8 -0

No files found.
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -1290,8 +1290,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
            if (ch[dep].time_diff_sign) {
                t      = -t;
+                if (t > 0 && begin < t) {
+                    av_log(ctx->avctx, AV_LOG_ERROR, "begin %u smaller than time diff index %d.\n", begin, t);
+                    return AVERROR_INVALIDDATA;
+                }
                begin -= t;
            } else {
+                if (t > 0 && end < t) {
+                    av_log(ctx->avctx, AV_LOG_ERROR, "end %u smaller than time diff index %d.\n", end, t);
+                    return AVERROR_INVALIDDATA;
+                }
                end   -= t;
            }