Mercurial > libavcodec.hg
comparison alac.c @ 3303:68721b62a528 libavcodec
sanity checks, some might have been exploitable ...
| author | michael |
|---|---|
| date | Sat, 13 May 2006 10:45:26 +0000 |
| parents | 32e634e0d5cc |
| children | 82277c821113 |
comparison
equal
deleted
inserted
replaced
| 3302:cb356bfc7e22 | 3303:68721b62a528 |
|---|---|
| 98 | 98 |
| 99 alac->outputsamples_buffer_a = av_malloc(alac->setinfo_max_samples_per_frame * 4); | 99 alac->outputsamples_buffer_a = av_malloc(alac->setinfo_max_samples_per_frame * 4); |
| 100 alac->outputsamples_buffer_b = av_malloc(alac->setinfo_max_samples_per_frame * 4); | 100 alac->outputsamples_buffer_b = av_malloc(alac->setinfo_max_samples_per_frame * 4); |
| 101 } | 101 } |
| 102 | 102 |
| 103 static void alac_set_info(ALACContext *alac) | 103 static int alac_set_info(ALACContext *alac) |
| 104 { | 104 { |
| 105 unsigned char *ptr = alac->avctx->extradata; | 105 unsigned char *ptr = alac->avctx->extradata; |
| 106 | 106 |
| 107 ptr += 4; /* size */ | 107 ptr += 4; /* size */ |
| 108 ptr += 4; /* alac */ | 108 ptr += 4; /* alac */ |
| 109 ptr += 4; /* 0 ? */ | 109 ptr += 4; /* 0 ? */ |
| 110 | 110 |
| 111 if(BE_32(ptr) >= UINT_MAX/4){ | |
| 112 av_log(alac->avctx, AV_LOG_ERROR, "setinfo_max_samples_per_frame too large\n"); | |
| 113 return -1; | |
| 114 } | |
| 111 alac->setinfo_max_samples_per_frame = BE_32(ptr); /* buffer size / 2 ? */ | 115 alac->setinfo_max_samples_per_frame = BE_32(ptr); /* buffer size / 2 ? */ |
| 112 ptr += 4; | 116 ptr += 4; |
| 113 alac->setinfo_7a = *ptr++; | 117 alac->setinfo_7a = *ptr++; |
| 114 alac->setinfo_sample_size = *ptr++; | 118 alac->setinfo_sample_size = *ptr++; |
| 115 alac->setinfo_rice_historymult = *ptr++; | 119 alac->setinfo_rice_historymult = *ptr++; |
| 124 ptr += 4; | 128 ptr += 4; |
| 125 alac->setinfo_8a_rate = BE_32(ptr); // samplerate | 129 alac->setinfo_8a_rate = BE_32(ptr); // samplerate |
| 126 ptr += 4; | 130 ptr += 4; |
| 127 | 131 |
| 128 allocate_buffers(alac); | 132 allocate_buffers(alac); |
| 133 | |
| 134 return 0; | |
| 129 } | 135 } |
| 130 | 136 |
| 131 /* hideously inefficient. could use a bitmask search, | 137 /* hideously inefficient. could use a bitmask search, |
| 132 * alternatively bsr on x86, | 138 * alternatively bsr on x86, |
| 133 */ | 139 */ |