From a9837b58e1b060ed31753821536de128a0deaf26 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 3 Mar 2010 19:31:46 +0000 Subject: [PATCH] Fixed overreads in TTA decoder with corrupted bistreams. Originally committed as revision 22176 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavcodec/tta.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index b26724b528..7dd4cc5059 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -332,9 +332,14 @@ static int tta_decode_frame(AVCodecContext *avctx, unary--; } - if (k) + if (get_bits_left(&s->gb) < k) + return -1; + + if (k) { + if (k > MIN_CACHE_BITS) + return -1; value = (unary << k) + get_bits(&s->gb, k); - else + } else value = unary; // FIXME: copy paste from original @@ -404,6 +409,8 @@ static int tta_decode_frame(AVCodecContext *avctx, } } + if (get_bits_left(&s->gb) < 32) + return -1; skip_bits(&s->gb, 32); // frame crc // convert to output buffer