Re: [FFmpeg-devel] [libav-devel] [PATCH] wmavoice: limit wmavoice_decode_packet return value to packet size

[Andreas Cadhalpun]

On 28.06.2015 11:40, Luca Barbato wrote:
> On 28/06/15 11:28, Andreas Cadhalpun wrote:
>>> am i assuming correct that gb was read beyond its end ?
>>
>> That only happens in the second case, not in the first.
>>
>>> if so this maybe should be treated as an error instead of cliping
>>
>> Treating one like an error, but not the other seems strange as well.
>> One could add an explode mode for both. Would that be better?
> 
> Adding an explode option is fine for me.

OK, new patch attached.

> What happens on the first.

In that case the addition of s->spillover_nbits can make cnt larger than
the packet size.

Best regards,
Andreas

>From 2411958abe82b7f4383498b7aee061b912e3ade9 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Sun, 28 Jun 2015 12:40:12 +0200
Subject: [PATCH] wmavoice: limit wmavoice_decode_packet return value to packet
 size

Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
 libavcodec/wmavoice.c | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
index ae88d4e..0e70ce6 100644
--- a/libavcodec/wmavoice.c
+++ b/libavcodec/wmavoice.c
@@ -1982,7 +1982,17 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data,
                     *got_frame_ptr) {
                     cnt += s->spillover_nbits;
                     s->skip_bits_next = cnt & 7;
-                    return cnt >> 3;
+                    res = cnt >> 3;
+                    if (res > avpkt->size) {
+                        av_log(ctx, AV_LOG_WARNING,
+                               "Trying to skip %d bytes in packet of size %d\n",
+                               res, avpkt->size);
+                        if (ctx->err_recognition & AV_EF_EXPLODE)
+                            return AVERROR_INVALIDDATA;
+                        else
+                            return avpkt->size;
+                    }
+                    return res;
                 } else
                     skip_bits_long (gb, s->spillover_nbits - cnt +
                                     get_bits_count(gb)); // resync
@@ -2001,7 +2011,17 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data,
     } else if (*got_frame_ptr) {
         int cnt = get_bits_count(gb);
         s->skip_bits_next = cnt & 7;
-        return cnt >> 3;
+        res = cnt >> 3;
+        if (res > avpkt->size) {
+            av_log(ctx, AV_LOG_WARNING,
+                   "Trying to skip %d bytes in packet of size %d\n",
+                   res, avpkt->size);
+            if (ctx->err_recognition & AV_EF_EXPLODE)
+                return AVERROR_INVALIDDATA;
+            else
+                return avpkt->size;
+        }
+        return res;
     } else if ((s->sframe_cache_size = pos) > 0) {
         /* rewind bit reader to start of last (incomplete) superframe... */
         init_get_bits(gb, avpkt->data, size << 3);
-- 
2.1.4


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel