On 28.06.2015 11:40, Luca Barbato wrote: > On 28/06/15 11:28, Andreas Cadhalpun wrote: >>> am i assuming correct that gb was read beyond its end ? >> >> That only happens in the second case, not in the first. >> >>> if so this maybe should be treated as an error instead of cliping >> >> Treating one like an error, but not the other seems strange as well. >> One could add an explode mode for both. Would that be better? > > Adding an explode option is fine for me.
OK, new patch attached. > What happens on the first. In that case the addition of s->spillover_nbits can make cnt larger than the packet size. Best regards, Andreas
>From 2411958abe82b7f4383498b7aee061b912e3ade9 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> Date: Sun, 28 Jun 2015 12:40:12 +0200 Subject: [PATCH] wmavoice: limit wmavoice_decode_packet return value to packet size Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> --- libavcodec/wmavoice.c | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index ae88d4e..0e70ce6 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1982,7 +1982,17 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data, *got_frame_ptr) { cnt += s->spillover_nbits; s->skip_bits_next = cnt & 7; - return cnt >> 3; + res = cnt >> 3; + if (res > avpkt->size) { + av_log(ctx, AV_LOG_WARNING, + "Trying to skip %d bytes in packet of size %d\n", + res, avpkt->size); + if (ctx->err_recognition & AV_EF_EXPLODE) + return AVERROR_INVALIDDATA; + else + return avpkt->size; + } + return res; } else skip_bits_long (gb, s->spillover_nbits - cnt + get_bits_count(gb)); // resync @@ -2001,7 +2011,17 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data, } else if (*got_frame_ptr) { int cnt = get_bits_count(gb); s->skip_bits_next = cnt & 7; - return cnt >> 3; + res = cnt >> 3; + if (res > avpkt->size) { + av_log(ctx, AV_LOG_WARNING, + "Trying to skip %d bytes in packet of size %d\n", + res, avpkt->size); + if (ctx->err_recognition & AV_EF_EXPLODE) + return AVERROR_INVALIDDATA; + else + return avpkt->size; + } + return res; } else if ((s->sframe_cache_size = pos) > 0) { /* rewind bit reader to start of last (incomplete) superframe... */ init_get_bits(gb, avpkt->data, size << 3); -- 2.1.4
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel