Commit 3935f543 authored by Rafaël Carré's avatar Rafaël Carré Committed by Jean-Baptiste Kempf

mp4a packetizer: fix buffer overflow

(cherry picked from commit 9794ec1cd268c04c8bca13a5fae15df6594dff3e)
Signed-off-by: default avatarJean-Baptiste Kempf <jb@videolan.org>

Conflicts:
	modules/packetizer/mpeg4audio.c
parent e87c46b5
...@@ -881,7 +881,6 @@ static int LOASParse( decoder_t *p_dec, uint8_t *p_buffer, int i_buffer ) ...@@ -881,7 +881,6 @@ static int LOASParse( decoder_t *p_dec, uint8_t *p_buffer, int i_buffer )
for( i_program = 0; i_program < p_sys->latm.i_programs; i_program++ ) for( i_program = 0; i_program < p_sys->latm.i_programs; i_program++ )
{ {
int i_layer; int i_layer;
int i;
for( i_layer = 0; i_layer < p_sys->latm.pi_layers[i_program]; i_layer++ ) for( i_layer = 0; i_layer < p_sys->latm.pi_layers[i_program]; i_layer++ )
{ {
/* XXX we only extract 1 stream */ /* XXX we only extract 1 stream */
...@@ -892,8 +891,11 @@ static int LOASParse( decoder_t *p_dec, uint8_t *p_buffer, int i_buffer ) ...@@ -892,8 +891,11 @@ static int LOASParse( decoder_t *p_dec, uint8_t *p_buffer, int i_buffer )
continue; continue;
/* FIXME that's slow (and a bit ugly to write in place) */ /* FIXME that's slow (and a bit ugly to write in place) */
for( i = 0; i < pi_payload[i_program][i_layer]; i++ ) for (int i = 0; i < pi_payload[i_program][i_layer]; i++) {
p_buffer[i_accumulated++] = bs_read( &s, 8 ); if (i_accumulated >= i_buffer)
return 0;
p_buffer[i_accumulated++] = bs_read(&s, 8);
}
} }
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment