Fix an exploit in indeo by checking we are not writing out of the strip array.

[ffmpeg] / libavcodec / alac.c

diff --git a/libavcodec/alac.c b/libavcodec/alac.c
index 23037a5d6f251d34a41c0762f1ff026935f248bf..8cf1ccc69c027c46db339d565eaadf7315bce47b 100644 (file)
--- a/libavcodec/alac.c
+++ b/libavcodec/alac.c
@@ -115,6 +115,10 @@ static int alac_set_info(ALACContext *alac)
     alac->setinfo_max_samples_per_frame = bytestream_get_be32(&ptr);
     ptr++;                          /* ??? */
     alac->setinfo_sample_size           = *ptr++;
+    if (alac->setinfo_sample_size > 32) {
+        av_log(alac->avctx, AV_LOG_ERROR, "setinfo_sample_size too large\n");
+        return -1;
+    }
     alac->setinfo_rice_historymult      = *ptr++;
     alac->setinfo_rice_initialhistory   = *ptr++;
     alac->setinfo_rice_kmodifier        = *ptr++;
@@ -407,7 +411,7 @@ static int alac_decode_frame(AVCodecContext *avctx,
     int channels;
     unsigned int outputsamples;
     int hassize;
-    int readsamplesize;
+    unsigned int readsamplesize;
     int wasted_bytes;
     int isnotcompressed;
     uint8_t interlacing_shift;
@@ -472,6 +476,10 @@ static int alac_decode_frame(AVCodecContext *avctx,
 
     *outputsize = outputsamples * alac->bytespersample;
     readsamplesize = alac->setinfo_sample_size - (wasted_bytes * 8) + channels - 1;
+    if (readsamplesize > MIN_CACHE_BITS) {
+        av_log(avctx, AV_LOG_ERROR, "readsamplesize too big (%d)\n", readsamplesize);
+        return -1;
+    }
 
     if (!isnotcompressed) {
         /* so it is compressed */
@@ -531,33 +539,16 @@ static int alac_decode_frame(AVCodecContext *avctx,
         }
     } else {
         /* not compressed, easy case */
-        if (alac->setinfo_sample_size <= 16) {
-            int i, chan;
-            for (chan = 0; chan < channels; chan++)
-                for (i = 0; i < outputsamples; i++) {
-                    int32_t audiobits;
+        int i, chan;
+        for (i = 0; i < outputsamples; i++)
+            for (chan = 0; chan < channels; chan++) {
+                int32_t audiobits;
 
-                    audiobits = get_bits(&alac->gb, alac->setinfo_sample_size);
-                    audiobits = extend_sign32(audiobits, readsamplesize);
+                audiobits = get_bits_long(&alac->gb, alac->setinfo_sample_size);
+                audiobits = extend_sign32(audiobits, alac->setinfo_sample_size);
 
-                    alac->outputsamples_buffer[chan][i] = audiobits;
-                }
-        } else {
-            int i, chan;
-            for (chan = 0; chan < channels; chan++)
-                for (i = 0; i < outputsamples; i++) {
-                    int32_t audiobits;
-
-                    audiobits = get_bits(&alac->gb, 16);
-                    /* special case of sign extension..
-                     * as we'll be ORing the low 16bits into this */
-                    audiobits = audiobits << 16;
-                    audiobits = audiobits >> (32 - alac->setinfo_sample_size);
-                    audiobits |= get_bits(&alac->gb, alac->setinfo_sample_size - 16);
-
-                    alac->outputsamples_buffer[chan][i] = audiobits;
-                }
-        }
+                alac->outputsamples_buffer[chan][i] = audiobits;
+            }
         /* wasted_bytes = 0; */
         interlacing_shift = 0;
         interlacing_leftweight = 0;
@@ -606,7 +597,8 @@ static av_cold int alac_decode_init(AVCodecContext * avctx)
     alac->context_initialized = 0;
 
     alac->numchannels = alac->avctx->channels;
-    alac->bytespersample = (avctx->bits_per_sample / 8) * alac->numchannels;
+    alac->bytespersample = 2 * alac->numchannels;
+    avctx->sample_fmt = SAMPLE_FMT_S16;
 
     return 0;
 }
@@ -633,5 +625,5 @@ AVCodec alac_decoder = {
     NULL,
     alac_decode_close,
     alac_decode_frame,
-    .long_name = "ALAC (Apple Lossless Audio Codec)",
+    .long_name = NULL_IF_CONFIG_SMALL("ALAC (Apple Lossless Audio Codec)"),
 };