vorbis_comment_init(&context->vc) ;
if(p[0] == 0 && p[1] == 30) {
+ int sizesum = 0;
for(i = 0; i < 3; i++){
hsizes[i] = bytestream_get_be16((const uint8_t **)&p);
+ sizesum += 2 + hsizes[i];
+ if (sizesum > avccontext->extradata_size) {
+ av_log(avccontext, AV_LOG_ERROR, "vorbis extradata too small\n");
+ ret = AVERROR_INVALIDDATA;
+ goto error;
+ }
+
headers[i] = p;
p += hsizes[i];
}
} else if(*p == 2) {
unsigned int offset = 1;
+ unsigned int sizesum = 1;
p++;
for(i=0; i<2; i++) {
hsizes[i] = 0;
- while((*p == 0xFF) && (offset < avccontext->extradata_size)) {
+ while((*p == 0xFF) && (sizesum < avccontext->extradata_size)) {
hsizes[i] += 0xFF;
offset++;
+ sizesum += 1 + 0xFF;
p++;
}
- if(offset >= avccontext->extradata_size - 1) {
+ hsizes[i] += *p;
+ offset++;
+ sizesum += 1 + *p;
+ if(sizesum > avccontext->extradata_size) {
av_log(avccontext, AV_LOG_ERROR,
"vorbis header sizes damaged\n");
ret = AVERROR_INVALIDDATA;
goto error;
}
- hsizes[i] += *p;
- offset++;
p++;
}
hsizes[2] = avccontext->extradata_size - hsizes[0]-hsizes[1]-offset;
.init = oggvorbis_decode_init,
.decode = oggvorbis_decode_frame,
.close = oggvorbis_decode_close,
- .capabilities = AV_CODEC_CAP_DELAY,
+ .capabilities = AV_CODEC_CAP_DELAY | AV_CODEC_CAP_CHANNEL_CONF,
};