avcodec/wmaprodec: Return value check for init_get_bits
Similar to CVE-2021-38171 as the second argument for init_get_bits(avpkt and
buf) can be crafted,
a return value check for this function call is necessary.
Also replace init_get_bits with init_get_bits8.
---
libavcodec/wmaprodec.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c
index e0d00d2d37..0e229b258d 100644
--- a/libavcodec/wmaprodec.c
+++ b/libavcodec/wmaprodec.c
@@ -1615,6 +1615,7 @@ static int decode_packet(AVCodecContext *avctx,
WMAProDecodeCtx *s,
int buf_size = avpkt->size;
int num_bits_prev_frame;
int packet_sequence_number;
+ int ret;
*got_frame_ptr = 0;
@@ -1666,7 +1667,9 @@ static int decode_packet(AVCodecContext *avctx,
WMAProDecodeCtx *s,
s->buf_bit_size = buf_size << 3;
/** parse packet header */
- init_get_bits(gb, buf, s->buf_bit_size);
+ ret = init_get_bits8(gb, buf, buf_size);
+ if (ret < 0)
+ return ret;
if (avctx->codec_id != AV_CODEC_ID_XMA2) {
packet_sequence_number = get_bits(gb, 4);
skip_bits(gb, 2);
@@ -1734,7 +1737,9 @@ static int decode_packet(AVCodecContext *avctx,
WMAProDecodeCtx *s,
}
s->buf_bit_size = (avpkt->size - s->next_packet_start) << 3;
- init_get_bits(gb, avpkt->data, s->buf_bit_size);
+ ret = init_get_bits8(gb, avpkt->data, (avpkt->size -
s->next_packet_start));
+ if (ret < 0)
+ return ret;
skip_bits(gb, s->packet_offset);
if (s->len_prefix && remaining_bits(s, gb) > s->log2_frame_size &&
(frame_size = show_bits(gb, s->log2_frame_size)) &&
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
[email protected]
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
[email protected] with subject "unsubscribe".
