cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
195ffe85c1
openbsd-ports/graphics/ffmpeg/patches/patch-libavcodec_wavpack_c
sthen b519e03198 add a fix to FFmpeg, from Brad: 
wavpack: Check error codes rather than working around error conditions
2011-09-21 08:58:48 +00:00

140 lines
4.6 KiB
Plaintext
Raw Blame History

$OpenBSD: patch-libavcodec_wavpack_c,v 1.2 2011/09/21 08:58:48 sthen Exp $
- Fixed invalid access with corrupted extra bits sub-blocks.
- Fixed invalid writes with corrupted bitstreams.
- Fixed invalid access with corrupted bitstream.
--- libavcodec/wavpack.c.orig Mon Mar 28 19:23:17 2011
+++ libavcodec/wavpack.c Mon Sep 12 03:06:17 2011
@@ -292,7 +292,14 @@ static int wv_get_value(WavpackFrameContext *ctx, GetB
}
}else{
t = get_unary_0_33(gb);
- if(t >= 2) t = get_bits(gb, t - 1) | (1 << (t-1));
+ if(t >= 2){
+ if(get_bits_left(gb) < t-1)
+ goto error;
+ t = get_bits(gb, t - 1) | (1 << (t-1));
+ }else{
+ if(get_bits_left(gb) < 0)
+ goto error;
+ }
ctx->zeroes = t;
if(ctx->zeroes){
memset(ctx->ch[0].median, 0, sizeof(ctx->ch[0].median));
@@ -303,24 +310,24 @@ static int wv_get_value(WavpackFrameContext *ctx, GetB
}
}
- if(get_bits_count(gb) >= ctx->data_size){
- *last = 1;
- return 0;
- }
-
if(ctx->zero){
t = 0;
ctx->zero = 0;
}else{
t = get_unary_0_33(gb);
- if(get_bits_count(gb) >= ctx->data_size){
- *last = 1;
- return 0;
- }
+ if(get_bits_left(gb) < 0)
+ goto error;
if(t == 16) {
t2 = get_unary_0_33(gb);
- if(t2 < 2) t += t2;
- else t += get_bits(gb, t2 - 1) | (1 << (t2 - 1));
+ if(t2 < 2){
+ if(get_bits_left(gb) < 0)
+ goto error;
+ t += t2;
+ }else{
+ if(get_bits_left(gb) < t2 - 1)
+ goto error;
+ t += get_bits(gb, t2 - 1) | (1 << (t2 - 1));
+ }
}
if(ctx->one){
@@ -360,9 +367,13 @@ static int wv_get_value(WavpackFrameContext *ctx, GetB
}
if(!c->error_limit){
ret = base + get_tail(gb, add);
+ if (get_bits_left(gb) <= 0)
+ goto error;
}else{
int mid = (base*2 + add + 1) >> 1;
while(add > c->error_limit){
+ if(get_bits_left(gb) <= 0)
+ goto error;
if(get_bits1(gb)){
add -= (mid - base);
base = mid;
@@ -376,6 +387,10 @@ static int wv_get_value(WavpackFrameContext *ctx, GetB
if(ctx->hybrid_bitrate)
c->slow_level += wp_log2(ret) - LEVEL_DECAY(c->slow_level);
return sign ? ~ret : ret;
+
+error:
+ *last = 1;
+ return 0;
}
static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, int S)
@@ -385,7 +400,7 @@ static inline int wv_get_value_integer(WavpackFrameCon
if(s->extra_bits){
S <<= s->extra_bits;
- if(s->got_extra_bits){
+ if(s->got_extra_bits && get_bits_left(&s->gb_extra_bits) >= s->extra_bits){
S |= get_bits(&s->gb_extra_bits, s->extra_bits);
*crc = *crc * 9 + (S&0xffff) * 3 + ((unsigned)S>>16);
}
@@ -580,7 +595,10 @@ static inline int wv_unpack_stereo(WavpackFrameContext
count++;
}while(!last && count < s->max_samples);
- s->samples_left -= count;
+ if (last)
+ s->samples_left = 0;
+ else
+ s->samples_left -= count;
if(!s->samples_left){
if(crc != s->CRC){
av_log(s->avctx, AV_LOG_ERROR, "CRC error\n");
@@ -658,7 +676,10 @@ static inline int wv_unpack_mono(WavpackFrameContext *
count++;
}while(!last && count < s->max_samples);
- s->samples_left -= count;
+ if (last)
+ s->samples_left = 0;
+ else
+ s->samples_left -= count;
if(!s->samples_left){
if(crc != s->CRC){
av_log(s->avctx, AV_LOG_ERROR, "CRC error\n");
@@ -1098,6 +1119,10 @@ static int wavpack_decode_block(AVCodecContext *avctx,
samplecount = wv_unpack_stereo(s, &s->gb, samples, AV_SAMPLE_FMT_S32);
else
samplecount = wv_unpack_stereo(s, &s->gb, samples, AV_SAMPLE_FMT_FLT);
+
+ if (samplecount < 0)
+ return -1;
+
samplecount >>= 1;
}else{
const int channel_stride = avctx->channels;
@@ -1108,6 +1133,9 @@ static int wavpack_decode_block(AVCodecContext *avctx,
samplecount = wv_unpack_mono(s, &s->gb, samples, AV_SAMPLE_FMT_S32);
else
samplecount = wv_unpack_mono(s, &s->gb, samples, AV_SAMPLE_FMT_FLT);
+
+ if (samplecount < 0)
+ return -1;
if(s->stereo && avctx->sample_fmt == AV_SAMPLE_FMT_S16){
int16_t *dst = (int16_t*)samples + 1;
Reference in New Issue View Git Blame Copy Permalink