alsdec: validate time diff index
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Sat, 18 Apr 2015 18:09:28 +0000 (20:09 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Wed, 22 Apr 2015 10:27:25 +0000 (12:27 +0200)
If begin is smaller than t, the subtraction 'begin -= t' wraps around,
because begin is unsigned. The same applies for end < t.

This causes segmentation faults.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit faf9fe2c224ea81a98afd53e2f0be0a2e13aeca9)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/alsdec.c

index fa93b75..2cf01b2 100644 (file)
@@ -1284,8 +1284,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
 
             if (ch[dep].time_diff_sign) {
                 t      = -t;
+                if (t > 0 && begin < t) {
+                    av_log(ctx->avctx, AV_LOG_ERROR, "begin %u smaller than time diff index %d.\n", begin, t);
+                    return AVERROR_INVALIDDATA;
+                }
                 begin -= t;
             } else {
+                if (t > 0 && end < t) {
+                    av_log(ctx->avctx, AV_LOG_ERROR, "end %u smaller than time diff index %d.\n", end, t);
+                    return AVERROR_INVALIDDATA;
+                }
                 end   -= t;
             }