From cc9c5126387a1d8093ca8cc1df6ab2c535c35dba Mon Sep 17 00:00:00 2001
From: Ramiro Polla <ramiro.polla@gmail.com>
Date: Sun, 5 Apr 2009 20:46:53 +0000
Subject: [PATCH] mlpdec: Validate non-restart bit from the substream header.
Originally committed as revision 18336 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
libavcodec/mlpdec.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c
index 8ec78b101d9..516c17f073a 100644
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@@ -117,6 +117,9 @@ typedef struct SubStream {
typedef struct MLPDecodeContext {
AVCodecContext *avctx;
+ //! Current access unit being read has a major sync.
+ int is_major_sync_unit;
+
//! Set if a valid major sync block has been read. Otherwise no decoding is possible.
uint8_t params_valid;
@@ -917,9 +920,11 @@ static int read_access_unit(AVCodecContext *avctx, void* data, int *data_size,
init_get_bits(&gb, (buf + 4), (length - 4) * 8);
+ m->is_major_sync_unit = 0;
if (show_bits_long(&gb, 31) == (0xf8726fba >> 1)) {
if (read_major_sync(m, &gb) < 0)
goto error;
+ m->is_major_sync_unit = 1;
header_size += 28;
}
@@ -933,10 +938,10 @@ static int read_access_unit(AVCodecContext *avctx, void* data, int *data_size,
substream_start = 0;
for (substr = 0; substr < m->num_substreams; substr++) {
- int extraword_present, checkdata_present, end;
+ int extraword_present, checkdata_present, end, nonrestart_substr;
extraword_present = get_bits1(&gb);
- skip_bits1(&gb);
+ nonrestart_substr = get_bits1(&gb);
checkdata_present = get_bits1(&gb);
skip_bits1(&gb);
@@ -949,6 +954,11 @@ static int read_access_unit(AVCodecContext *avctx, void* data, int *data_size,
substr_header_size += 2;
}
+ if (!(nonrestart_substr ^ m->is_major_sync_unit)) {
+ av_log(m->avctx, AV_LOG_ERROR, "Invalid nonrestart_substr.\n");
+ goto error;
+ }
+
if (end + header_size + substr_header_size > length) {
av_log(m->avctx, AV_LOG_ERROR,
"Indicated length of substream %d data goes off end of "
--
GitLab