amrnbdec: check frame size before decoding.

Message ID 20120305143952.B67125DEA1@aruru.libav.org
State New
Headers show

Commit Message

Janne Grunau March 5, 2012, 2:39 p.m.
Module: libav
Branch: release/0.8
Commit: 11f3173e1bae135eb18a10b0060a5dd4b9fdcc74

Author:    Vitor Sessak <vitor1001@gmail.com>
Committer: Reinhard Tartler <siretart@tauware.de>
Date:      Wed Feb 29 22:09:10 2012 +0100

amrnbdec: check frame size before decoding.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 882abda5a26ffb8e3d1c5852dfa7cdad0a291d2d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

---

 libavcodec/amrnbdec.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

Patch

diff --git a/libavcodec/amrnbdec.c b/libavcodec/amrnbdec.c
index fff0e72..a7d0b4e 100644
--- a/libavcodec/amrnbdec.c
+++ b/libavcodec/amrnbdec.c
@@ -200,6 +200,10 @@  static enum Mode unpack_bitstream(AMRContext *p, const uint8_t *buf,
     p->bad_frame_indicator = !get_bits1(&gb); // quality bit
     skip_bits(&gb, 2);                        // two padding bits
 
+    if (mode >= N_MODES || buf_size < frame_sizes_nb[mode] + 1) {
+        return NO_DATA;
+    }
+
     if (mode < MODE_DTX)
         ff_amr_bit_reorder((uint16_t *) &p->frame, sizeof(AMRNBFrame), buf + 1,
                            amr_unpacking_bitmaps_per_mode[mode]);
@@ -947,6 +951,10 @@  static int amrnb_decode_frame(AVCodecContext *avctx, void *data,
     buf_out = (float *)p->avframe.data[0];
 
     p->cur_frame_mode = unpack_bitstream(p, buf, buf_size);
+    if (p->cur_frame_mode == NO_DATA) {
+        av_log(avctx, AV_LOG_ERROR, "Corrupt bitstream\n");
+        return AVERROR_INVALIDDATA;
+    }
     if (p->cur_frame_mode == MODE_DTX) {
         av_log_missing_feature(avctx, "dtx mode", 1);
         return -1;