diff options
| author | Daniel Geerts <daniel.geerts.ordina@outlook.com> | 2016-06-23 12:08:53 +0300 |
|---|---|---|
| committer | Hendrik Leppkes <h.leppkes@gmail.com> | 2016-06-23 12:17:26 +0300 |
| commit | 99d1c21d967644a873fee689b05b03c396fd1b6b (patch) | |
| tree | 20c7bc725fb8954015d26add48ff9e6bb1367c8d /decoder | |
| parent | eba992ee04945b681fcab5cded3c44a0e44c358f (diff) | |
Add a few additional buffer safety checks
Diffstat (limited to 'decoder')
| -rw-r--r-- | decoder/LAVAudio/LAVAudio.cpp | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/decoder/LAVAudio/LAVAudio.cpp b/decoder/LAVAudio/LAVAudio.cpp index 44af0365..549f452d 100644 --- a/decoder/LAVAudio/LAVAudio.cpp +++ b/decoder/LAVAudio/LAVAudio.cpp @@ -1625,7 +1625,11 @@ HRESULT CLAVAudio::Receive(IMediaSample *pIn) } long len = pIn->GetActualDataLength(); - if (len == 0) { + if (len < 0) { + DbgLog((LOG_ERROR, 10, L"Invalid data length, aborting")); + return E_FAIL; + } + else if (len == 0) { return S_OK; } @@ -1670,7 +1674,7 @@ HRESULT CLAVAudio::Receive(IMediaSample *pIn) m_rtStartInput = SUCCEEDED(hr) ? rtStart : AV_NOPTS_VALUE; m_rtStopInput = SUCCEEDED(hr) ? rtStop : AV_NOPTS_VALUE; - int bufflen = m_buff.GetCount(); + DWORD bufflen = m_buff.GetCount(); // Hack to re-create the BD LPCM header because in the MPC-HC format its stripped off. CMediaType inMt(m_pInput->CurrentMediaType()); @@ -1687,7 +1691,7 @@ HRESULT CLAVAudio::Receive(IMediaSample *pIn) } // Ensure the size of the buffer doesn't overflow (its used as signed int in various places) - if (INT_MAX - (bufflen + FF_INPUT_BUFFER_PADDING_SIZE) < len) { + if (bufflen > (INT_MAX - (DWORD)len)) { DbgLog((LOG_TRACE, 10, L"Too much audio buffered, aborting")); return E_FAIL; } |