[FFmpeg-cvslog] apedec: do not keep incrementing the input data pointer past the end of the

[Justin Ruggles]

ffmpeg | branch: master | Justin Ruggles <justin.ruggles at gmail.com> | Tue Oct 11 14:12:54 2011 -0400| [5b8009f4c80d8fd96523c8c163441ad4011ad472] | committer: Justin Ruggles

apedec: do not keep incrementing the input data pointer past the end of the
buffer during entropy decoding.

The pointer address could overflow, which would likely segfault. Instead set
the context error flag to indicate that the decoder tried to read past the
end of the packet data.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5b8009f4c80d8fd96523c8c163441ad4011ad472
---

 libavcodec/apedec.c |    9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index ef990bf..133eb2d 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -247,9 +247,12 @@ static inline void range_dec_normalize(APEContext *ctx)
 {
     while (ctx->rc.range <= BOTTOM_VALUE) {
         ctx->rc.buffer <<= 8;
-        if(ctx->ptr < ctx->data_end)
+        if(ctx->ptr < ctx->data_end) {
             ctx->rc.buffer += *ctx->ptr;
-        ctx->ptr++;
+            ctx->ptr++;
+        } else {
+            ctx->error = 1;
+        }
         ctx->rc.low    = (ctx->rc.low << 8)    | ((ctx->rc.buffer >> 1) & 0xFF);
         ctx->rc.range  <<= 8;
     }
@@ -893,7 +896,7 @@ static int ape_decode_frame(AVCodecContext *avctx,
         ape_unpack_stereo(s, blockstodecode);
     emms_c();
 
-    if(s->error || s->ptr > s->data_end){
+    if (s->error) {
         s->samples=0;
         av_log(avctx, AV_LOG_ERROR, "Error decoding frame\n");
         return AVERROR_INVALIDDATA;