[FFmpeg-cvslog] r16973 - trunk/libavcodec/adpcm.c
stefang
subversion
Tue Feb 3 18:56:25 CET 2009
Author: stefang
Date: Tue Feb 3 18:56:24 2009
New Revision: 16973
Log:
check validity of pointer srcC
Modified:
trunk/libavcodec/adpcm.c
Modified: trunk/libavcodec/adpcm.c
==============================================================================
--- trunk/libavcodec/adpcm.c Tue Feb 3 18:03:49 2009 (r16972)
+++ trunk/libavcodec/adpcm.c Tue Feb 3 18:56:24 2009 (r16973)
@@ -1285,6 +1285,7 @@ static int adpcm_decode_frame(AVCodecCon
unsigned int channel;
uint16_t *samplesC;
const uint8_t *srcC;
+ const uint8_t *src_end = buf + buf_size;
samples_in_chunk = (big_endian ? bytestream_get_be32(&src)
: bytestream_get_le32(&src)) / 28;
@@ -1295,9 +1296,12 @@ static int adpcm_decode_frame(AVCodecCon
}
for (channel=0; channel<avctx->channels; channel++) {
- srcC = src + (avctx->channels-channel) * 4;
- srcC += (big_endian ? bytestream_get_be32(&src)
- : bytestream_get_le32(&src));
+ int32_t offset = (big_endian ? bytestream_get_be32(&src)
+ : bytestream_get_le32(&src))
+ + (avctx->channels-channel-1) * 4;
+
+ if ((offset < 0) || (offset >= src_end - src - 4)) break;
+ srcC = src + offset;
samplesC = samples + channel;
if (avctx->codec->id == CODEC_ID_ADPCM_EA_R1) {
@@ -1311,6 +1315,7 @@ static int adpcm_decode_frame(AVCodecCon
for (count1=0; count1<samples_in_chunk; count1++) {
if (*srcC == 0xEE) { /* only seen in R2 and R3 */
srcC++;
+ if (srcC > src_end - 30*2) break;
current_sample = (int16_t)bytestream_get_be16(&srcC);
previous_sample = (int16_t)bytestream_get_be16(&srcC);
@@ -1323,6 +1328,7 @@ static int adpcm_decode_frame(AVCodecCon
coeff2 = ea_adpcm_table[(*srcC>>4) + 4];
shift = (*srcC++ & 0x0F) + 8;
+ if (srcC > src_end - 14) break;
for (count2=0; count2<28; count2++) {
if (count2 & 1)
next_sample = (int32_t)((*srcC++ & 0x0F) << 28) >> shift;
More information about the ffmpeg-cvslog
mailing list