Re: [libav-devel] [PATCH] Fixed invalid writes in wavpack decoder on corrupted bitstreams.

Wed, 07 Sep 2011 14:43:54 -0700 

On Wed, Sep 7, 2011 at 1:19 PM, Laurent Aimar <fen...@elivagar.org> wrote:
> See patch.
>

> From 101398eddbc0ee6f98f7ea8760f52b8d83b265b0 Mon Sep 17 00:00:00 2001
> From: Laurent Aimar <fen...@videolan.org>
> Date: Wed, 7 Sep 2011 22:17:39 +0200
> Subject: [PATCH] Fixed invalid writes in wavpack decoder on corrupted 
> bitstreams.
>
> ---
>  libavcodec/wavpack.c |    6 +++---
>  1 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
> index 8e81d2d..f43819c 100644
> --- a/libavcodec/wavpack.c
> +++ b/libavcodec/wavpack.c
> @@ -1134,7 +1134,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, 
> int block_no,
>              int16_t *dst = (int16_t*)samples + 1;
>              int16_t *src = (int16_t*)samples;
>              int cnt = samplecount;
> -            while(cnt--){
> +            while(cnt-- > 0){
>                  *dst = *src;
>                  src += channel_stride;
>                  dst += channel_stride;
> @@ -1143,7 +1143,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, 
> int block_no,
>              int32_t *dst = (int32_t*)samples + 1;
>              int32_t *src = (int32_t*)samples;
>              int cnt = samplecount;
> -            while(cnt--){
> +            while(cnt-- > 0){
>                  *dst = *src;
>                  src += channel_stride;
>                  dst += channel_stride;
> @@ -1152,7 +1152,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, 
> int block_no,
>              float *dst = (float*)samples + 1;
>              float *src = (float*)samples;
>              int cnt = samplecount;
> -            while(cnt--){
> +            while(cnt-- > 0){
>                  *dst = *src;
>                  src += channel_stride;
>                  dst += channel_stride;

It's probably better to attack this closer to the root of the problem.
cnt is initialized to sample_count which is set by wv_unpack_mono()

wv_unpack_mono() returns negative error codes so something like this
probably makes more sense:


>         if(avctx->sample_fmt == AV_SAMPLE_FMT_S16)
>             samplecount = wv_unpack_mono(s, &s->gb, samples, 
> AV_SAMPLE_FMT_S16);
>         else if(avctx->sample_fmt == AV_SAMPLE_FMT_S32)
>             samplecount = wv_unpack_mono(s, &s->gb, samples, 
> AV_SAMPLE_FMT_S32);
>         else
>             samplecount = wv_unpack_mono(s, &s->gb, samples, 
> AV_SAMPLE_FMT_FLT);

+    if (samplecount < 0)
+        return samplecount;

Regards,
Alex
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to