[FFmpeg-devel] [PATCH] Fix input buffer size check in adpcm_ea decoder.

Reimar Döffinger Reimar.Doeffinger at gmx.de
Fri Apr 8 01:21:06 CEST 2011


Unfortunately the output buffer size check assumes that the
input buffer is never over-consumed, thus this actually
also allowed to write outside the output buffer if "lucky".
---
 libavcodec/adpcm.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index 826c588..6252dbc 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -1291,7 +1291,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
         }
         break;
     case CODEC_ID_ADPCM_EA:
-        if (buf_size < 4 || AV_RL32(src) >= ((buf_size - 12) * 2)) {
+        if (buf_size < 12 || AV_RL32(src) > (buf_size - 12)/30*28) {
             src += buf_size;
             break;
         }
-- 
1.7.4.1



More information about the ffmpeg-devel mailing list