Revision 14c49573

View differences:

libavcodec/adpcm.c
602 602
{
603 603
    ADPCMContext *c = avctx->priv_data;
604 604

  
605
    if(avctx->channels > 2U){
606
        return -1;
607
    }
608

  
605 609
    c->channel = 0;
606 610
    c->status[0].predictor = c->status[1].predictor = 0;
607 611
    c->status[0].step_index = c->status[1].step_index = 0;
......
826 830
    int n, m, channel, i;
827 831
    int block_predictor[2];
828 832
    short *samples;
833
    short *samples_end;
829 834
    uint8_t *src;
830 835
    int st; /* stereo */
831 836

  
......
847 852
    if (!buf_size)
848 853
        return 0;
849 854

  
855
    //should protect all 4bit ADPCM variants
856
    //8 is needed for CODEC_ID_ADPCM_IMA_WAV with 2 channels
857
    //
858
    if(*data_size/4 < buf_size + 8)
859
        return -1;
860

  
850 861
    samples = data;
862
    samples_end= samples + *data_size/2;
863
    *data_size= 0;
851 864
    src = buf;
852 865

  
853 866
    st = avctx->channels == 2 ? 1 : 0;
......
1031 1044
        if (avctx->block_align != 0 && buf_size > avctx->block_align)
1032 1045
            buf_size = avctx->block_align;
1033 1046

  
1047
        if(buf_size + 16 > (samples_end - samples)*3/8)
1048
            return -1;
1049

  
1034 1050
        c->status[0].predictor = (int16_t)(src[10] | (src[11] << 8));
1035 1051
        c->status[1].predictor = (int16_t)(src[12] | (src[13] << 8));
1036 1052
        c->status[0].step_index = src[14];
......
1197 1213
                src++;
1198 1214
            }
1199 1215
        } else if (avctx->codec->id == CODEC_ID_ADPCM_SBPRO_3) {
1200
            while (src < buf + buf_size) {
1216
            while (src < buf + buf_size && samples + 2 < samples_end) {
1201 1217
                *samples++ = adpcm_sbpro_expand_nibble(&c->status[0],
1202 1218
                    (src[0] >> 5) & 0x07, 3, 0);
1203 1219
                *samples++ = adpcm_sbpro_expand_nibble(&c->status[0],
......
1207 1223
                src++;
1208 1224
            }
1209 1225
        } else {
1210
            while (src < buf + buf_size) {
1226
            while (src < buf + buf_size && samples + 3 < samples_end) {
1211 1227
                *samples++ = adpcm_sbpro_expand_nibble(&c->status[0],
1212 1228
                    (src[0] >> 6) & 0x03, 2, 2);
1213 1229
                *samples++ = adpcm_sbpro_expand_nibble(&c->status[st],
......
1229 1245

  
1230 1246
        init_get_bits(&gb, buf, size);
1231 1247

  
1248
//the following return -1 may be removed only after
1249
//1. correctly spliting the stream into packets at demuxer or parser level
1250
//2. checking array bounds when writing
1251
//3. moving the global nb_bits header into extradata
1252
return -1;
1232 1253
        // first frame, read bits & inital values
1233 1254
        if (!c->nb_bits)
1234 1255
        {

Also available in: Unified diff