Mercurial > libavcodec.hg

changeset 5817:ced30500e2b1 libavcodec

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
prevent infinite loop and memcpy of negative amounts fixes issue194
author michael
date Sat, 13 Oct 2007 12:25:31 +0000
parents 0168cd384df3
children e0a872dd3ea1
files aac_parser.c ac3_parser.c
diffstat 2 files changed, 6 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/aac_parser.c	Sat Oct 13 09:58:39 2007 +0000
+++ b/aac_parser.c	Sat Oct 13 12:25:31 2007 +0000
@@ -67,6 +67,9 @@
     skip_bits1(&bits);          /* copyright_identification_bit */
     skip_bits1(&bits);          /* copyright_identification_start */
     size = get_bits(&bits, 13); /* aac_frame_length */
+    if(size < AAC_HEADER_SIZE)
+        return 0;
+
     skip_bits(&bits, 11);       /* adts_buffer_fullness */
     rdb = get_bits(&bits, 2);   /* number_of_raw_data_blocks_in_frame */
 
--- a/ac3_parser.c	Sat Oct 13 09:58:39 2007 +0000
+++ b/ac3_parser.c	Sat Oct 13 12:25:31 2007 +0000
@@ -114,6 +114,9 @@
             return 0;   /* Currently don't support additional streams */
 
         frmsiz = get_bits(&bits, 11) + 1;
+        if(frmsiz*2 < AC3_HEADER_SIZE)
+            return 0;
+
         fscod = get_bits(&bits, 2);
         if (fscod == 3) {
             fscod2 = get_bits(&bits, 2);