Mercurial > libavcodec.hg
comparison alac.c @ 6742:81ec037b6151 libavcodec
Fix memset(0) based buffer overflow.
| author | michael |
|---|---|
| date | Sat, 03 May 2008 20:56:57 +0000 |
| parents | a4104482ceef |
| children | 25c5f3b5e902 |
comparison
equal
deleted
inserted
replaced
| 6741:8d6c07df5afd | 6742:81ec037b6151 |
|---|---|
| 197 if (x_modified > 0xffff) | 197 if (x_modified > 0xffff) |
| 198 history = 0xffff; | 198 history = 0xffff; |
| 199 | 199 |
| 200 /* special case: there may be compressed blocks of 0 */ | 200 /* special case: there may be compressed blocks of 0 */ |
| 201 if ((history < 128) && (output_count+1 < output_size)) { | 201 if ((history < 128) && (output_count+1 < output_size)) { |
| 202 int block_size, k; | 202 int k; |
| 203 unsigned int block_size; | |
| 203 | 204 |
| 204 sign_modifier = 1; | 205 sign_modifier = 1; |
| 205 | 206 |
| 206 k = 7 - av_log2(history) + ((history + 16) >> 6 /* / 64 */); | 207 k = 7 - av_log2(history) + ((history + 16) >> 6 /* / 64 */); |
| 207 | 208 |
| 208 block_size= decode_scalar(&alac->gb, k, rice_kmodifier, 16); | 209 block_size= decode_scalar(&alac->gb, k, rice_kmodifier, 16); |
| 209 | 210 |
| 210 if (block_size > 0) { | 211 if (block_size > 0) { |
| 212 if(block_size >= output_size - output_count){ | |
| 213 av_log(alac->avctx, AV_LOG_ERROR, "invalid zero block size of %d %d %d\n", block_size, output_size, output_count); | |
| 214 block_size= output_size - output_count - 1; | |
| 215 } | |
| 211 memset(&output_buffer[output_count+1], 0, block_size * 4); | 216 memset(&output_buffer[output_count+1], 0, block_size * 4); |
| 212 output_count += block_size; | 217 output_count += block_size; |
| 213 } | 218 } |
| 214 | 219 |
| 215 if (block_size > 0xffff) | 220 if (block_size > 0xffff) |