diff options
Diffstat (limited to 'libavcodec/wavpack.c')
-rw-r--r-- | libavcodec/wavpack.c | 40 |
1 files changed, 27 insertions, 13 deletions
diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 37e8768..481d323 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -2,20 +2,20 @@ * WavPack lossless audio decoder * Copyright (c) 2006,2011 Konstantin Shishkov * - * This file is part of Libav. + * This file is part of FFmpeg. * - * Libav is free software; you can redistribute it and/or + * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * Libav is distributed in the hope that it will be useful, + * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software + * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ @@ -47,6 +47,8 @@ #define WV_FLT_ZERO_SENT 0x08 #define WV_FLT_ZERO_SIGN 0x10 +#define WV_MAX_SAMPLES 131072 + enum WP_ID_Flags { WP_IDF_MASK = 0x1F, WP_IDF_IGNORE = 0x20, @@ -371,6 +373,10 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, INC_MED(2); } if (!c->error_limit) { + if (add >= 0x2000000U) { + av_log(ctx->avctx, AV_LOG_ERROR, "k %d is too large\n", add); + goto error; + } ret = base + get_tail(gb, add); if (get_bits_left(gb) <= 0) goto error; @@ -784,6 +790,11 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, return -1; } + if (wc->ch_offset >= avctx->channels) { + av_log(avctx, AV_LOG_ERROR, "too many channels\n"); + return -1; + } + memset(s->decorr, 0, MAX_TERMS * sizeof(Decorr)); memset(s->ch, 0, sizeof(s->ch)); s->extra_bits = 0; @@ -796,6 +807,10 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, *got_frame_ptr = 0; return 0; } + if (s->samples > wc->samples) { + av_log(avctx, AV_LOG_ERROR, "too many samples in block"); + return -1; + } } else { s->samples = wc->samples; } @@ -891,7 +906,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, continue; } t = 0; - for (i = s->terms - 1; (i >= 0) && (t < size); i--) { + for (i = s->terms - 1; (i >= 0) && (t < size) && buf <= buf_end; i--) { if (s->decorr[i].value > 8) { s->decorr[i].samplesA[0] = wp_exp2(AV_RL16(buf)); buf += 2; s->decorr[i].samplesA[1] = wp_exp2(AV_RL16(buf)); buf += 2; @@ -906,7 +921,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->decorr[i].samplesB[0] = wp_exp2(AV_RL16(buf)); buf += 2; t += 4; } else { - for (j = 0; j < s->decorr[i].value; j++) { + for (j = 0; j < s->decorr[i].value && buf+1<buf_end; j++) { s->decorr[i].samplesA[j] = wp_exp2(AV_RL16(buf)); buf += 2; if (s->stereo_in) { s->decorr[i].samplesB[j] = wp_exp2(AV_RL16(buf)); buf += 2; @@ -1188,7 +1203,7 @@ static int wavpack_decode_frame(AVCodecContext *avctx, void *data, frame_flags = AV_RL32(buf + 4); } } - if (s->samples <= 0) { + if (s->samples <= 0 || s->samples > WV_MAX_SAMPLES) { av_log(avctx, AV_LOG_ERROR, "Invalid number of samples: %d\n", s->samples); return AVERROR(EINVAL); @@ -1204,11 +1219,10 @@ static int wavpack_decode_frame(AVCodecContext *avctx, void *data, } /* get output buffer */ - frame->nb_samples = s->samples; - if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) { - av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); + frame->nb_samples = s->samples + 1; + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; - } + frame->nb_samples = s->samples; while (buf_size > 0) { if (!s->multichannel) { @@ -1226,13 +1240,13 @@ static int wavpack_decode_frame(AVCodecContext *avctx, void *data, av_log(avctx, AV_LOG_ERROR, "Block %d has invalid size (size %d " "vs. %d bytes left)\n", s->block, frame_size, buf_size); wavpack_decode_flush(avctx); - return -1; + return AVERROR_INVALIDDATA; } if ((samplecount = wavpack_decode_block(avctx, s->block, frame->data[0], got_frame_ptr, buf, frame_size)) < 0) { wavpack_decode_flush(avctx); - return -1; + return AVERROR_INVALIDDATA; } s->block++; buf += frame_size; buf_size -= frame_size; |