[FFmpeg-cvslog] Fix input buffer size check in adpcm_ea decoder.

[Reimar Döffinger]

ffmpeg | branch: release/0.8 | Reimar Döffinger <Reimar.Doeffinger at gmx.de> | Wed Sep  7 22:14:07 2011 -0400| [282a1a960a75d853928b6b2b2c90951b58cb56dc] | committer: Reinhard Tartler

Fix input buffer size check in adpcm_ea decoder.

Unfortunately the output buffer size check assumes that the
input buffer is never over-consumed, thus this actually
also allowed to write outside the output buffer if "lucky".

Based on:
git.videolan.org/ffmpeg.git
commit 701d0eb185192542c4a17f296e39e37cedf7abc6
(cherry picked from commit ffe92ff9f0c7f390d895de12c8ffef959ced3cd8)

Signed-off-by: Anton Khirnov <anton at khirnov.net>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=282a1a960a75d853928b6b2b2c90951b58cb56dc
---

 libavcodec/adpcm.c |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index 70a5360..277334a 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -1291,11 +1291,17 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
         }
         break;
     case CODEC_ID_ADPCM_EA:
-        if (buf_size < 4 || AV_RL32(src) >= ((buf_size - 12) * 2)) {
-            src += buf_size;
-            break;
+        /* Each EA ADPCM frame has a 12-byte header followed by 30-byte pieces,
+           each coding 28 stereo samples. */
+        if (buf_size < 12) {
+            av_log(avctx, AV_LOG_ERROR, "frame too small\n");
+            return AVERROR(EINVAL);
         }
         samples_in_chunk = AV_RL32(src);
+        if (samples_in_chunk / 28 > (buf_size - 12) / 30) {
+            av_log(avctx, AV_LOG_ERROR, "invalid frame\n");
+            return AVERROR(EINVAL);
+        }
         src += 4;
         current_left_sample   = (int16_t)bytestream_get_le16(&src);
         previous_left_sample  = (int16_t)bytestream_get_le16(&src);