Fix memset(0) based buffer overflow.
authorMichael Niedermayer <michaelni@gmx.at>
Sat, 3 May 2008 20:56:57 +0000 (20:56 +0000)
committerMichael Niedermayer <michaelni@gmx.at>
Sat, 3 May 2008 20:56:57 +0000 (20:56 +0000)
Originally committed as revision 13050 to svn://svn.ffmpeg.org/ffmpeg/trunk

libavcodec/alac.c

index 648b4b6..9fbba95 100644 (file)
@@ -199,7 +199,8 @@ static void bastardized_rice_decompress(ALACContext *alac,
 
         /* special case: there may be compressed blocks of 0 */
         if ((history < 128) && (output_count+1 < output_size)) {
-            int block_size, k;
+            int k;
+            unsigned int block_size;
 
             sign_modifier = 1;
 
@@ -208,6 +209,10 @@ static void bastardized_rice_decompress(ALACContext *alac,
             block_size= decode_scalar(&alac->gb, k, rice_kmodifier, 16);
 
             if (block_size > 0) {
+                if(block_size >= output_size - output_count){
+                    av_log(alac->avctx, AV_LOG_ERROR, "invalid zero block size of %d %d %d\n", block_size, output_size, output_count);
+                    block_size= output_size - output_count - 1;
+                }
                 memset(&output_buffer[output_count+1], 0, block_size * 4);
                 output_count += block_size;
             }