Message ID | PAXP193MB1262F7F3F785354C56C22723B6F99@PAXP193MB1262.EURP193.PROD.OUTLOOK.COM |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel,v1,01/10] return value check for init_get_bits in wmv2dec.c | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | fail | Make failed |
andriy/PPC64_make | warning | Make failed |
On Thu, Aug 12, 2021 at 6:52 AM maryam ebrahimzadeh <me22bee@outlook.com> wrote: > > --- > libavcodec/wmadec.c | 15 +++++++++++---- > 1 file changed, 11 insertions(+), 4 deletions(-) > > diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c > index d627bbe50e..6ac6221d11 100644 > --- a/libavcodec/wmadec.c > +++ b/libavcodec/wmadec.c > @@ -904,8 +907,10 @@ static int wma_decode_superframe(AVCodecContext *avctx, void *data, > memset(q, 0, AV_INPUT_BUFFER_PADDING_SIZE); > > /* XXX: bit_offset bits into last frame */ > - init_get_bits(&s->gb, s->last_superframe, > - s->last_superframe_len * 8 + bit_offset); > + ret = init_get_bits8(&s->gb, s->last_superframe, > + (s->last_superframe_len * 8 + bit_offset)/8); > + if (ret < 0) > + return ret; This part uses an actual bit count to limit the reader (from bit_offset), by using init_get_bit8 here, the number is effectively rounded and may not be accurate anymore. last_superframe_len is also bound-checked at the beginning of the block already, so this is not going to exceed the buffer size, and therefor no change is needed. - Hendrik
diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index d627bbe50e..6ac6221d11 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -822,6 +822,7 @@ static int wma_decode_superframe(AVCodecContext *avctx, void *data, uint8_t *q; float **samples; int samples_offset; + int ret; ff_tlog(avctx, "***decode_superframe:\n"); @@ -838,7 +839,9 @@ static int wma_decode_superframe(AVCodecContext *avctx, void *data, if (avctx->block_align) buf_size = avctx->block_align; - init_get_bits(&s->gb, buf, buf_size * 8); + ret = init_get_bits8(&s->gb, buf, buf_size); + if (ret < 0) + return ret; if (s->use_bit_reservoir) { /* read super frame header */ @@ -904,8 +907,10 @@ static int wma_decode_superframe(AVCodecContext *avctx, void *data, memset(q, 0, AV_INPUT_BUFFER_PADDING_SIZE); /* XXX: bit_offset bits into last frame */ - init_get_bits(&s->gb, s->last_superframe, - s->last_superframe_len * 8 + bit_offset); + ret = init_get_bits8(&s->gb, s->last_superframe, + (s->last_superframe_len * 8 + bit_offset)/8); + if (ret < 0) + return ret; /* skip unused bits */ if (s->last_bitoffset > 0) skip_bits(&s->gb, s->last_bitoffset); @@ -921,7 +926,9 @@ static int wma_decode_superframe(AVCodecContext *avctx, void *data, pos = bit_offset + 4 + 4 + s->byte_offset_bits + 3; if (pos >= MAX_CODED_SUPERFRAME_SIZE * 8 || pos > buf_size * 8) return AVERROR_INVALIDDATA; - init_get_bits(&s->gb, buf + (pos >> 3), (buf_size - (pos >> 3)) * 8); + int ret = init_get_bits8(&s->gb, buf + (pos >> 3), (buf_size - (pos >> 3))); + if (ret < 0) + return ret; len = pos & 7; if (len > 0) skip_bits(&s->gb, len);