diff mbox series

[FFmpeg-devel,v1,04/10] return value check for init_get_bits in wmadec.c

Message ID PAXP193MB1262F7F3F785354C56C22723B6F99@PAXP193MB1262.EURP193.PROD.OUTLOOK.COM
State New
Headers show
Series [FFmpeg-devel,v1,01/10] return value check for init_get_bits in wmv2dec.c | expand

Checks

Context Check Description
andriy/x86_make fail Make failed
andriy/PPC64_make warning Make failed

Commit Message

Maryam Ebrahimzadeh Aug. 12, 2021, 4:52 a.m. UTC 
---
 libavcodec/wmadec.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

Comments

Hendrik Leppkes Aug. 12, 2021, 6:03 a.m. UTC | #1 
On Thu, Aug 12, 2021 at 6:52 AM maryam ebrahimzadeh <me22bee@outlook.com> wrote:
>
> ---
>  libavcodec/wmadec.c | 15 +++++++++++----
>  1 file changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c
> index d627bbe50e..6ac6221d11 100644
> --- a/libavcodec/wmadec.c
> +++ b/libavcodec/wmadec.c
> @@ -904,8 +907,10 @@ static int wma_decode_superframe(AVCodecContext *avctx, void *data,
>              memset(q, 0, AV_INPUT_BUFFER_PADDING_SIZE);
>
>              /* XXX: bit_offset bits into last frame */
> -            init_get_bits(&s->gb, s->last_superframe,
> -                          s->last_superframe_len * 8 + bit_offset);
> +            ret = init_get_bits8(&s->gb, s->last_superframe,
> +                          (s->last_superframe_len * 8 + bit_offset)/8);
> +            if (ret < 0)
> +                return ret;

This part uses an actual bit count to limit the reader (from
bit_offset), by using init_get_bit8 here, the number is effectively
rounded and may not be accurate anymore.
last_superframe_len is also  bound-checked at the beginning of the
block already, so this is not going to exceed the buffer size, and
therefor no change is needed.

- Hendrik
diff mbox series

Patch

diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c
index d627bbe50e..6ac6221d11 100644
--- a/libavcodec/wmadec.c
+++ b/libavcodec/wmadec.c
@@ -822,6 +822,7 @@  static int wma_decode_superframe(AVCodecContext *avctx, void *data,
     uint8_t *q;
     float **samples;
     int samples_offset;
+    int ret;
 
     ff_tlog(avctx, "***decode_superframe:\n");
 
@@ -838,7 +839,9 @@  static int wma_decode_superframe(AVCodecContext *avctx, void *data,
     if (avctx->block_align)
         buf_size = avctx->block_align;
 
-    init_get_bits(&s->gb, buf, buf_size * 8);
+    ret = init_get_bits8(&s->gb, buf, buf_size);
+    if (ret < 0)
+        return ret;
 
     if (s->use_bit_reservoir) {
         /* read super frame header */
@@ -904,8 +907,10 @@  static int wma_decode_superframe(AVCodecContext *avctx, void *data,
             memset(q, 0, AV_INPUT_BUFFER_PADDING_SIZE);
 
             /* XXX: bit_offset bits into last frame */
-            init_get_bits(&s->gb, s->last_superframe,
-                          s->last_superframe_len * 8 + bit_offset);
+            ret = init_get_bits8(&s->gb, s->last_superframe,
+                          (s->last_superframe_len * 8 + bit_offset)/8);
+            if (ret < 0)
+                return ret;
             /* skip unused bits */
             if (s->last_bitoffset > 0)
                 skip_bits(&s->gb, s->last_bitoffset);
@@ -921,7 +926,9 @@  static int wma_decode_superframe(AVCodecContext *avctx, void *data,
         pos = bit_offset + 4 + 4 + s->byte_offset_bits + 3;
         if (pos >= MAX_CODED_SUPERFRAME_SIZE * 8 || pos > buf_size * 8)
             return AVERROR_INVALIDDATA;
-        init_get_bits(&s->gb, buf + (pos >> 3), (buf_size - (pos >> 3)) * 8);
+        int ret = init_get_bits8(&s->gb, buf + (pos >> 3), (buf_size - (pos >> 3)));
+        if (ret < 0)
+            return ret;
         len = pos & 7;
         if (len > 0)
             skip_bits(&s->gb, len);