Fix an exploit in indeo by checking we are not writing out of the strip array.

[ffmpeg] / libavcodec / alac.c

diff --git a/libavcodec/alac.c b/libavcodec/alac.c
index cb710a634637c77b9623d22f8db6131f0d11c58a..8cf1ccc69c027c46db339d565eaadf7315bce47b 100644 (file)
--- a/libavcodec/alac.c
+++ b/libavcodec/alac.c
@@ -411,7 +411,7 @@ static int alac_decode_frame(AVCodecContext *avctx,
     int channels;
     unsigned int outputsamples;
     int hassize;
-    int readsamplesize;
+    unsigned int readsamplesize;
     int wasted_bytes;
     int isnotcompressed;
     uint8_t interlacing_shift;
@@ -476,6 +476,10 @@ static int alac_decode_frame(AVCodecContext *avctx,
 
     *outputsize = outputsamples * alac->bytespersample;
     readsamplesize = alac->setinfo_sample_size - (wasted_bytes * 8) + channels - 1;
+    if (readsamplesize > MIN_CACHE_BITS) {
+        av_log(avctx, AV_LOG_ERROR, "readsamplesize too big (%d)\n", readsamplesize);
+        return -1;
+    }
 
     if (!isnotcompressed) {
         /* so it is compressed */
@@ -593,7 +597,7 @@ static av_cold int alac_decode_init(AVCodecContext * avctx)
     alac->context_initialized = 0;
 
     alac->numchannels = alac->avctx->channels;
-    alac->bytespersample = (avctx->bits_per_sample / 8) * alac->numchannels;
+    alac->bytespersample = 2 * alac->numchannels;
     avctx->sample_fmt = SAMPLE_FMT_S16;
 
     return 0;