ad_ffmpeg: add sanity check against decoder overreads

The libavcodec Musepack SV8 decoder returned 2 bytes consumed for 1 byte input, which triggered a crash due to negative input packet size later. Add a sanity check to prevent crashes with this type of minor decoder overreads. Also add a check to parser consumed data.
author: Uoti Urpala <uau@mplayer2.org> 2012-08-06 21:22:37 +0300
committer: wm4 <wm4@nowhere> 2012-08-16 17:16:33 +0200
commit: 7f0926498c59f87c05fcdc1994d9701d9d5f5bd4 (patch)
tree: 3070516230c5dc5e8d9e35fc2ec722787f4d31f5 /libmpcodecs
parent: 202ea8214ef1db693405b75559868523ca725ac0 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/libmpcodecs/ad_ffmpeg.c b/libmpcodecs/ad_ffmpeg.c
index a20689eab8..c4d7c13941 100644
--- a/libmpcodecs/ad_ffmpeg.c
+++ b/libmpcodecs/ad_ffmpeg.c
@@ -291,6 +291,7 @@ static int decode_new_packet(struct sh_audio *sh)
         start = mpkt->buffer + mpkt->len - priv->previous_data_left;
         int consumed = ds_parse(sh->ds, &start, &insize, pts, 0);
         priv->previous_data_left -= consumed;
+        priv->previous_data_left = FFMAX(priv->previous_data_left, 0);
     }
 
     AVPacket pkt;
@@ -314,8 +315,9 @@ static int decode_new_packet(struct sh_audio *sh)
         mp_msg(MSGT_DECAUDIO, MSGL_V, "lavc_audio: error\n");
         return -1;
     }
-    if (!sh->parser)
-        priv->previous_data_left += insize - ret;
+    // The "insize >= ret" test is sanity check against decoder overreads
+    if (!sh->parser && insize >= ret)
+        priv->previous_data_left = insize - ret;
     if (!got_frame)
         return 0;
     /* An error is reported later from output format checking, but make
author	Uoti Urpala <uau@mplayer2.org>	2012-08-06 21:22:37 +0300
committer	wm4 <wm4@nowhere>	2012-08-16 17:16:33 +0200
commit	7f0926498c59f87c05fcdc1994d9701d9d5f5bd4 (patch)
tree	3070516230c5dc5e8d9e35fc2ec722787f4d31f5 /libmpcodecs
parent	202ea8214ef1db693405b75559868523ca725ac0 (diff)