diff options
Diffstat (limited to 'libavcodec/wavpack.c')
| -rw-r--r-- | libavcodec/wavpack.c | 32 |
1 files changed, 22 insertions, 10 deletions
diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index e8f34fa..574ce15 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -2,20 +2,20 @@ * WavPack lossless audio decoder * Copyright (c) 2006,2011 Konstantin Shishkov * - * This file is part of Libav. + * This file is part of FFmpeg. * - * Libav is free software; you can redistribute it and/or + * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * Libav is distributed in the hope that it will be useful, + * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software + * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ @@ -47,6 +47,8 @@ #define WV_FLT_ZERO_SENT 0x08 #define WV_FLT_ZERO_SIGN 0x10 +#define WV_MAX_SAMPLES 131072 + enum WP_ID_Flags { WP_IDF_MASK = 0x1F, WP_IDF_IGNORE = 0x20, @@ -788,6 +790,11 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, return -1; } + if (wc->ch_offset >= avctx->channels) { + av_log(avctx, AV_LOG_ERROR, "too many channels\n"); + return -1; + } + memset(s->decorr, 0, MAX_TERMS * sizeof(Decorr)); memset(s->ch, 0, sizeof(s->ch)); s->extra_bits = 0; @@ -800,6 +807,10 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, *got_frame_ptr = 0; return 0; } + if (s->samples > wc->samples) { + av_log(avctx, AV_LOG_ERROR, "too many samples in block"); + return -1; + } } else { s->samples = wc->samples; } @@ -895,7 +906,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, continue; } t = 0; - for (i = s->terms - 1; (i >= 0) && (t < size); i--) { + for (i = s->terms - 1; (i >= 0) && (t < size) && buf <= buf_end; i--) { if (s->decorr[i].value > 8) { s->decorr[i].samplesA[0] = wp_exp2(AV_RL16(buf)); buf += 2; s->decorr[i].samplesA[1] = wp_exp2(AV_RL16(buf)); buf += 2; @@ -910,7 +921,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->decorr[i].samplesB[0] = wp_exp2(AV_RL16(buf)); buf += 2; t += 4; } else { - for (j = 0; j < s->decorr[i].value; j++) { + for (j = 0; j < s->decorr[i].value && buf+1<buf_end; j++) { s->decorr[i].samplesA[j] = wp_exp2(AV_RL16(buf)); buf += 2; if (s->stereo_in) { s->decorr[i].samplesB[j] = wp_exp2(AV_RL16(buf)); buf += 2; @@ -1191,7 +1202,7 @@ static int wavpack_decode_frame(AVCodecContext *avctx, void *data, frame_flags = AV_RL32(buf + 4); } } - if (s->samples <= 0) { + if (s->samples <= 0 || s->samples > WV_MAX_SAMPLES) { av_log(avctx, AV_LOG_ERROR, "Invalid number of samples: %d\n", s->samples); return AVERROR(EINVAL); @@ -1207,11 +1218,12 @@ static int wavpack_decode_frame(AVCodecContext *avctx, void *data, } /* get output buffer */ - s->frame.nb_samples = s->samples; + s->frame.nb_samples = s->samples + 1; if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } + s->frame.nb_samples = s->samples; while (buf_size > 0) { if (!s->multichannel) { @@ -1229,13 +1241,13 @@ static int wavpack_decode_frame(AVCodecContext *avctx, void *data, av_log(avctx, AV_LOG_ERROR, "Block %d has invalid size (size %d " "vs. %d bytes left)\n", s->block, frame_size, buf_size); wavpack_decode_flush(avctx); - return -1; + return AVERROR_INVALIDDATA; } if ((samplecount = wavpack_decode_block(avctx, s->block, s->frame.data[0], got_frame_ptr, buf, frame_size)) < 0) { wavpack_decode_flush(avctx); - return -1; + return AVERROR_INVALIDDATA; } s->block++; buf += frame_size; buf_size -= frame_size; |
