virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00
Code Issues Releases Activity

avcodec/apedec: Fix integer overflow

Browse Source 
Fixes: out of array access
Fixes: PoC.ape and others

Found-by: Bingchang, Liu@VARAS of IIE
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ba4beaf614)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2017-07-16 14:57:20 +02:00
parent 654ff56103
commit 3cae97b090
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
libavcodec/apedec.c
View File

@ -1404,6 +1404,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
int32_t *sample24;
int i, ch, ret;
int blockstodecode;
uint64_t decoded_buffer_size;
/* this should never be negative, but bad things will happen if it is, so
check it just to make sure. */
@ -1459,7 +1460,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
skip_bits_long(&s->gb, offset);
}
if (!nblocks || nblocks > INT_MAX) {
if (!nblocks || nblocks > INT_MAX / 2 / sizeof(*s->decoded_buffer) - 8) {
av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %"PRIu32".\n",
nblocks);
return AVERROR_INVALIDDATA;
@ -1485,8 +1486,9 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
blockstodecode = s->samples;
/* reallocate decoded sample buffer if needed */
av_fast_malloc(&s->decoded_buffer, &s->decoded_size,
2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer));
decoded_buffer_size = 2LL * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer);
av_assert0(decoded_buffer_size <= INT_MAX);
av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size);
if (!s->decoded_buffer)
return AVERROR(ENOMEM);
memset(s->decoded_buffer, 0, s->decoded_size);