...
|
...
|
@@ -122,6 +122,7 @@ static int adx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
|
122
|
122
|
int16_t *samples = data;
|
123
|
123
|
const uint8_t *buf = buf0;
|
124
|
124
|
int rest = buf_size;
|
|
125
|
+ int num_blocks;
|
125
|
126
|
|
126
|
127
|
if (!c->header_parsed) {
|
127
|
128
|
int hdrsize = adx_decode_header(avctx, buf, rest);
|
...
|
...
|
@@ -136,8 +137,15 @@ static int adx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
|
136
|
136
|
|
137
|
137
|
/* 18 bytes of data are expanded into 32*2 bytes of audio,
|
138
|
138
|
so guard against buffer overflows */
|
139
|
|
- if (rest / (BLOCK_SIZE * c->channels) > *data_size / (BLOCK_SAMPLES * c->channels))
|
|
139
|
+ num_blocks = (rest + c->in_temp) / (BLOCK_SIZE * c->channels);
|
|
140
|
+ if (num_blocks > *data_size / (BLOCK_SAMPLES * c->channels)) {
|
140
|
141
|
rest = (*data_size / (BLOCK_SAMPLES * c->channels)) * BLOCK_SIZE;
|
|
142
|
+ num_blocks = (rest + c->in_temp) / (BLOCK_SIZE * c->channels);
|
|
143
|
+ }
|
|
144
|
+ if (!num_blocks) {
|
|
145
|
+ av_log(avctx, AV_LOG_ERROR, "packet is too small\n");
|
|
146
|
+ return AVERROR_INVALIDDATA;
|
|
147
|
+ }
|
141
|
148
|
|
142
|
149
|
if (c->in_temp) {
|
143
|
150
|
int copysize = BLOCK_SIZE * avctx->channels - c->in_temp;
|
...
|
...
|
@@ -148,9 +156,10 @@ static int adx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
|
148
|
148
|
if (avctx->channels == 2)
|
149
|
149
|
adx_decode(c, samples + 1, c->dec_temp + BLOCK_SIZE, 1);
|
150
|
150
|
samples += BLOCK_SAMPLES * c->channels;
|
|
151
|
+ num_blocks--;
|
151
|
152
|
}
|
152
|
153
|
|
153
|
|
- while (rest >= BLOCK_SIZE * c->channels) {
|
|
154
|
+ while (num_blocks--) {
|
154
|
155
|
adx_decode(c, samples, buf, 0);
|
155
|
156
|
if (c->channels == 2)
|
156
|
157
|
adx_decode(c, samples + 1, buf + BLOCK_SIZE, 1);
|