# HG changeset patch # User kabi # Date 1003867110 0 # Node ID 036ec148fb18cadfece950980a3f576c3c341d16 # Parent 3073d4ea6ee508d191734bdfb23f6ec8d5973d9b * fixes to avoid crash when broken mp3 header is found diff -r 3073d4ea6ee5 -r 036ec148fb18 mpegaudiodec.c --- a/mpegaudiodec.c Tue Oct 23 19:03:33 2001 +0000 +++ b/mpegaudiodec.c Tue Oct 23 19:58:30 2001 +0000 @@ -985,6 +985,8 @@ /* extract frequency */ sample_rate_index = (header >> 10) & 3; sample_rate = mpa_freq_tab[sample_rate_index] >> (s->lsf + mpeg25); + if (sample_rate == 0) + return 1; sample_rate_index += 3 * (s->lsf + mpeg25); s->sample_rate_index = sample_rate_index; s->error_protection = ((header >> 16) & 1) ^ 1; @@ -2280,7 +2282,7 @@ (s->inbuf[2] << 8) | s->inbuf[3]; if (check_header(header) < 0) { /* no sync found : move by one byte (inefficient, but simple!) */ - memcpy(s->inbuf, s->inbuf + 1, HEADER_SIZE - 1); + memcpy(s->inbuf, s->inbuf + 1, s->inbuf_ptr - s->inbuf); s->inbuf_ptr--; dprintf("skip %x\n", header); /* reset free format frame size to give a chance @@ -2290,6 +2292,8 @@ if (decode_header(s, header) == 1) { /* free format: compute frame size */ s->frame_size = -1; + memcpy(s->inbuf, s->inbuf + 1, s->inbuf_ptr - s->inbuf); + s->inbuf_ptr--; } else { /* update codec info */ avctx->sample_rate = s->sample_rate; @@ -2350,14 +2354,18 @@ buf_size -= len; } } else if (len < s->frame_size) { + if (s->frame_size > MPA_MAX_CODED_FRAME_SIZE) + s->frame_size = MPA_MAX_CODED_FRAME_SIZE; len = s->frame_size - len; if (len > buf_size) len = buf_size; - + else if (len > 0) + { memcpy(s->inbuf_ptr, buf_ptr, len); buf_ptr += len; s->inbuf_ptr += len; buf_size -= len; + } } else { out_size = mp_decode_frame(s, out_samples); s->inbuf_ptr = s->inbuf;