mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-12-23 12:43:46 +02:00
avcodec/apedec: Fix integer overflow
Fixes: out of array access Fixes: PoC.ape and others Found-by: Bingchang, Liu@VARAS of IIE Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
615479d51c
commit
ba4beaf614
@ -1412,6 +1412,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
|
||||
int32_t *sample24;
|
||||
int i, ch, ret;
|
||||
int blockstodecode;
|
||||
uint64_t decoded_buffer_size;
|
||||
|
||||
/* this should never be negative, but bad things will happen if it is, so
|
||||
check it just to make sure. */
|
||||
@ -1467,7 +1468,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
|
||||
skip_bits_long(&s->gb, offset);
|
||||
}
|
||||
|
||||
if (!nblocks || nblocks > INT_MAX) {
|
||||
if (!nblocks || nblocks > INT_MAX / 2 / sizeof(*s->decoded_buffer) - 8) {
|
||||
av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %"PRIu32".\n",
|
||||
nblocks);
|
||||
return AVERROR_INVALIDDATA;
|
||||
@ -1493,8 +1494,9 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
|
||||
blockstodecode = s->samples;
|
||||
|
||||
/* reallocate decoded sample buffer if needed */
|
||||
av_fast_malloc(&s->decoded_buffer, &s->decoded_size,
|
||||
2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer));
|
||||
decoded_buffer_size = 2LL * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer);
|
||||
av_assert0(decoded_buffer_size <= INT_MAX);
|
||||
av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size);
|
||||
if (!s->decoded_buffer)
|
||||
return AVERROR(ENOMEM);
|
||||
memset(s->decoded_buffer, 0, s->decoded_size);
|
||||
|
Loading…
Reference in New Issue
Block a user