avcodec/adpcm: Check for overreads

See: vlc ticket 14649 Reported-by: carl Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3c803ed9cb23e5a8d76b6c31d8a8c71cac27e769) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2015-06-04 23:34:12 +0300
committer: Michael Niedermayer <michaelni@gmx.at> 2015-06-10 03:13:12 +0300
commit: 6fd4b2b84f603a0b5721ec1bc965abadb89095e8 (patch)
tree: 10c0b80e7b410347c4c48003568183b23ed1e987
parent: a3740b6a8644198d9c61f9080f4fa407d37531b8 (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index dbbb358b44..b16abc9119 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -570,6 +570,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
     case AV_CODEC_ID_ADPCM_IMA_DK4:
         if (avctx->block_align > 0)
             buf_size = FFMIN(buf_size, avctx->block_align);
+        if (buf_size < 4 * ch)
+            return AVERROR_INVALIDDATA;
         nb_samples = 1 + (buf_size - 4 * ch) * 2 / ch;
         break;
     case AV_CODEC_ID_ADPCM_IMA_RAD:
@@ -583,13 +585,15 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
         int bsamples = ff_adpcm_ima_block_samples[avctx->bits_per_coded_sample - 2];
         if (avctx->block_align > 0)
             buf_size = FFMIN(buf_size, avctx->block_align);
+        if (buf_size < 4 * ch)
+            return AVERROR_INVALIDDATA;
         nb_samples = 1 + (buf_size - 4 * ch) / (bsize * ch) * bsamples;
         break;
     }
     case AV_CODEC_ID_ADPCM_MS:
         if (avctx->block_align > 0)
             buf_size = FFMIN(buf_size, avctx->block_align);
-        nb_samples = 2 + (buf_size - 7 * ch) * 2 / ch;
+        nb_samples = (buf_size - 6 * ch) * 2 / ch;
         break;
     case AV_CODEC_ID_ADPCM_SBPRO_2:
     case AV_CODEC_ID_ADPCM_SBPRO_3:
@@ -602,6 +606,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
         case AV_CODEC_ID_ADPCM_SBPRO_4: samples_per_byte = 2; break;
         }
         if (!s->status[0].step_index) {
+            if (buf_size < ch)
+                return AVERROR_INVALIDDATA;
             nb_samples++;
             buf_size -= ch;
         }
@@ -1517,6 +1523,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
 
     *got_frame_ptr = 1;
 
+    if (avpkt->size < bytestream2_tell(&gb)) {
+        av_log(avctx, AV_LOG_ERROR, "Overread of %d < %d\n", avpkt->size, bytestream2_tell(&gb));
+        return avpkt->size;
+    }
+
     return bytestream2_tell(&gb);
 }
author	Michael Niedermayer <michaelni@gmx.at>	2015-06-04 23:34:12 +0300
committer	Michael Niedermayer <michaelni@gmx.at>	2015-06-10 03:13:12 +0300
commit	6fd4b2b84f603a0b5721ec1bc965abadb89095e8 (patch)
tree	10c0b80e7b410347c4c48003568183b23ed1e987
parent	a3740b6a8644198d9c61f9080f4fa407d37531b8 (diff)