virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-08-10 06:10:52 +02:00
Code Issues Releases Activity

apedec: do not keep incrementing the input data pointer past the end of the

Browse Source 
buffer during entropy decoding.

The pointer address could overflow, which would likely segfault. Instead set
the context error flag to indicate that the decoder tried to read past the
end of the packet data.
This commit is contained in:
Justin Ruggles
2011-10-11 14:12:54 -04:00
parent a4c32c9a63
commit 5b8009f4c8
1 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
libavcodec/apedec.c
View File

@@ -247,9 +247,12 @@ static inline void range_dec_normalize(APEContext *ctx)
{
while (ctx->rc.range <= BOTTOM_VALUE) {
ctx->rc.buffer <<= 8;
if(ctx->ptr < ctx->data_end)
if(ctx->ptr < ctx->data_end) {
ctx->rc.buffer += *ctx->ptr;
ctx->ptr++;
} else {
ctx->error = 1;
}
ctx->rc.low = (ctx->rc.low << 8) | ((ctx->rc.buffer >> 1) & 0xFF);
ctx->rc.range <<= 8;
}
@@ -893,7 +896,7 @@ static int ape_decode_frame(AVCodecContext *avctx,
ape_unpack_stereo(s, blockstodecode);
emms_c();
if(s->error || s->ptr > s->data_end){
if (s->error) {
s->samples=0;
av_log(avctx, AV_LOG_ERROR, "Error decoding frame\n");
return AVERROR_INVALIDDATA;