Skip to content

Commit ba4beaf

Browse files
committed
avcodec/apedec: Fix integer overflow
Fixes: out of array access Fixes: PoC.ape and others Found-by: Bingchang, Liu@VARAS of IIE Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
1 parent 615479d commit ba4beaf

File tree

1 file changed

+5
-3
lines changed

1 file changed

+5
-3
lines changed

Diff for: libavcodec/apedec.c

+5-3
Original file line numberDiff line numberDiff line change
@@ -1412,6 +1412,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
14121412
int32_t *sample24;
14131413
int i, ch, ret;
14141414
int blockstodecode;
1415+
uint64_t decoded_buffer_size;
14151416

14161417
/* this should never be negative, but bad things will happen if it is, so
14171418
check it just to make sure. */
@@ -1467,7 +1468,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
14671468
skip_bits_long(&s->gb, offset);
14681469
}
14691470

1470-
if (!nblocks || nblocks > INT_MAX) {
1471+
if (!nblocks || nblocks > INT_MAX / 2 / sizeof(*s->decoded_buffer) - 8) {
14711472
av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %"PRIu32".\n",
14721473
nblocks);
14731474
return AVERROR_INVALIDDATA;
@@ -1493,8 +1494,9 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
14931494
blockstodecode = s->samples;
14941495

14951496
/* reallocate decoded sample buffer if needed */
1496-
av_fast_malloc(&s->decoded_buffer, &s->decoded_size,
1497-
2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer));
1497+
decoded_buffer_size = 2LL * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer);
1498+
av_assert0(decoded_buffer_size <= INT_MAX);
1499+
av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size);
14981500
if (!s->decoded_buffer)
14991501
return AVERROR(ENOMEM);
15001502
memset(s->decoded_buffer, 0, s->decoded_size);

0 commit comments

Comments
 (0)