Fixed overreads in TTA decoder with corrupted bistreams.

git-svn-id: file:///var/local/repositories/ffmpeg/trunk@22176 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b

Fixed overreads in TTA decoder with corrupted bistreams.
git-svn-id: file:///var/local/repositories/ffmpeg/trunk@22176 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
34d415fb · fenrir · 318badf1 · 34d415fb
Commit 34d415fb authored Mar 03, 2010 by fenrir
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 2 deletions

libavcodec/tta.c libavcodec/tta.c +9 -2

No files found.
--- a/libavcodec/tta.c
+++ b/libavcodec/tta.c
@@ -332,9 +332,14 @@ static int tta_decode_frame(AVCodecContext *avctx,
                unary--;
            }
-            if (k)
+            if (get_bits_left(&s->gb) < k)
+                return -1;
+            if (k) {
+                if (k > MIN_CACHE_BITS)
+                    return -1;
                value = (unary << k) + get_bits(&s->gb, k);
-            else
+            } else
                value = unary;
            // FIXME: copy paste from original
@@ -404,6 +409,8 @@ static int tta_decode_frame(AVCodecContext *avctx,
            }
        }
+        if (get_bits_left(&s->gb) < 32)
+            return -1;
        skip_bits(&s->gb, 32); // frame crc
        // convert to output buffer