diff options
| author | Uoti Urpala <uau@mplayer2.org> | 2012-08-06 21:22:37 +0300 |
|---|---|---|
| committer | wm4 <wm4@nowhere> | 2012-08-16 17:16:33 +0200 |
| commit | 7f0926498c59f87c05fcdc1994d9701d9d5f5bd4 (patch) | |
| tree | 3070516230c5dc5e8d9e35fc2ec722787f4d31f5 /libmpcodecs | |
| parent | 202ea8214ef1db693405b75559868523ca725ac0 (diff) | |
| download | mpv-7f0926498c59f87c05fcdc1994d9701d9d5f5bd4.tar.bz2 mpv-7f0926498c59f87c05fcdc1994d9701d9d5f5bd4.tar.xz | |
ad_ffmpeg: add sanity check against decoder overreads
The libavcodec Musepack SV8 decoder returned 2 bytes consumed for 1
byte input, which triggered a crash due to negative input packet size
later. Add a sanity check to prevent crashes with this type of minor
decoder overreads. Also add a check to parser consumed data.
Diffstat (limited to 'libmpcodecs')
| -rw-r--r-- | libmpcodecs/ad_ffmpeg.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/libmpcodecs/ad_ffmpeg.c b/libmpcodecs/ad_ffmpeg.c index a20689eab8..c4d7c13941 100644 --- a/libmpcodecs/ad_ffmpeg.c +++ b/libmpcodecs/ad_ffmpeg.c @@ -291,6 +291,7 @@ static int decode_new_packet(struct sh_audio *sh) start = mpkt->buffer + mpkt->len - priv->previous_data_left; int consumed = ds_parse(sh->ds, &start, &insize, pts, 0); priv->previous_data_left -= consumed; + priv->previous_data_left = FFMAX(priv->previous_data_left, 0); } AVPacket pkt; @@ -314,8 +315,9 @@ static int decode_new_packet(struct sh_audio *sh) mp_msg(MSGT_DECAUDIO, MSGL_V, "lavc_audio: error\n"); return -1; } - if (!sh->parser) - priv->previous_data_left += insize - ret; + // The "insize >= ret" test is sanity check against decoder overreads + if (!sh->parser && insize >= ret) + priv->previous_data_left = insize - ret; if (!got_frame) return 0; /* An error is reported later from output format checking, but make |