On 02/29/2012 11:19 PM, Ronald S. Bultje wrote:
Hi,
On Wed, Feb 29, 2012 at 1:12 PM, Ronald S. Bultje<rsbul...@gmail.com> wrote:
On Wed, Feb 29, 2012 at 1:09 PM, Vitor Sessak<vitor1...@gmail.com> wrote:
---
libavcodec/amrnbdec.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/libavcodec/amrnbdec.c b/libavcodec/amrnbdec.c
index fff0e72..cdfcfc7 100644
--- a/libavcodec/amrnbdec.c
+++ b/libavcodec/amrnbdec.c
@@ -200,6 +200,10 @@ static enum Mode unpack_bitstream(AMRContext *p, const
uint8_t *buf,
p->bad_frame_indicator = !get_bits1(&gb); // quality bit
skip_bits(&gb, 2); // two padding bits
+ if (buf_size< frame_sizes_nb[mode] + 1) {
+ return NO_DATA;
+ }
This will overread a static array if mode (4bit unchecked) is read
from /dev/random. I think it should be "if (mode>= N_MODES || ...)"
here.
Good catch.
if (mode< MODE_DTX)
ff_amr_bit_reorder((uint16_t *)&p->frame, sizeof(AMRNBFrame), buf + 1,
amr_unpacking_bitmaps_per_mode[mode]);
@@ -947,6 +951,10 @@ static int amrnb_decode_frame(AVCodecContext *avctx, void
*data,
buf_out = (float *)p->avframe.data[0];
p->cur_frame_mode = unpack_bitstream(p, buf, buf_size);
+ if (p->cur_frame_mode == NO_DATA) {
+ av_log(avctx, AV_LOG_ERROR, "Corrupt bitstream\n");
+ return AVERROR_INVALIDDATA;
+ }
Committed with that fixed.
Great, thanks!
-Vitor
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
