virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-07-16 22:42:38 +02:00
Code Issues Releases Activity

avcodec/wmavoice: Don't initialize GetBitContext with buf == NULL

Browse Source 
Happens when flushing. This triggers NULL + 0 (which is UB) in
init_get_bits_xe (which previously errored out, but the return value
has not been checked) and in copy_bits().

This fixes the wmavoice-(7|11|19)k FATE-tests with UBSan.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This commit is contained in:
Andreas Rheinhardt
2022-09-27 18:02:24 +02:00
parent 8a61f66381
commit d5eb74b58d
1 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
libavcodec/wmavoice.c
View File

@ -1900,6 +1900,8 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, AVFrame *frame,
{
WMAVoiceContext *s = ctx->priv_data;
GetBitContext *gb = &s->gb;
const uint8_t *buf = avpkt->data;
uint8_t dummy[1];
int size, res, pos;
/* Packets are sometimes a multiple of ctx->block_align, with a packet
@ -1908,7 +1910,8 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, AVFrame *frame,
* in a single "muxer" packet, so we artificially emulate that by
* capping the packet size at ctx->block_align. */
for (size = avpkt->size; size > ctx->block_align; size -= ctx->block_align);
init_get_bits8(&s->gb, avpkt->data, size);
buf = size ? buf : dummy;
init_get_bits8(&s->gb, buf, size);
/* size == ctx->block_align is used to indicate whether we are dealing with
* a new packet or a packet of which we already read the packet header
@ -1931,7 +1934,7 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, AVFrame *frame,
if (cnt + s->spillover_nbits > avpkt->size * 8) {
s->spillover_nbits = avpkt->size * 8 - cnt;
}
copy_bits(&s->pb, avpkt->data, size, gb, s->spillover_nbits);
copy_bits(&s->pb, buf, size, gb, s->spillover_nbits);
flush_put_bits(&s->pb);
s->sframe_cache_size += s->spillover_nbits;
if ((res = synth_superframe(ctx, frame, got_frame_ptr)) == 0 &&
@ -1968,7 +1971,7 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, AVFrame *frame,
} else if ((s->sframe_cache_size = pos) > 0) {
/* ... cache it for spillover in next packet */
init_put_bits(&s->pb, s->sframe_cache, SFRAME_CACHE_MAXSIZE);
copy_bits(&s->pb, avpkt->data, size, gb, s->sframe_cache_size);
copy_bits(&s->pb, buf, size, gb, s->sframe_cache_size);
// FIXME bad - just copy bytes as whole and add use the
// skip_bits_next field
}