github-mirrors/FFmpeg
1
0
Fork 0
mirror of https://mirror.skon.top/https://github.com/FFmpeg/FFmpeg synced 2026-04-20 21:00:41 +08:00
Code Issues Packages Projects Releases Wiki Activity

avcodec/adpcm: handle ADPCM_IMA_MAGIX like other similar codecs

Browse Source 
Fixes: out of array access
Fixes: 471509958/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_MAGIX_DEC_fuzzer-4847227777646592

We ask for a mono sample because the implementation for mono is incomplete

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2026-02-08 01:28:16 +01:00
parent 927ae7a0d5
commit 65fd516768
1 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
libavcodec/adpcm.c
View File

@@ -1218,7 +1218,6 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
case AV_CODEC_ID_ADPCM_AGM:
case AV_CODEC_ID_ADPCM_IMA_ACORN:
case AV_CODEC_ID_ADPCM_IMA_DAT4:
case AV_CODEC_ID_ADPCM_IMA_MAGIX:
case AV_CODEC_ID_ADPCM_IMA_MOFLEX:
case AV_CODEC_ID_ADPCM_IMA_ISS: header_size = 4 * ch; break;
case AV_CODEC_ID_ADPCM_IMA_SMJPEG: header_size = 4 * ch; break;
@@ -1315,6 +1314,15 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
buf_size = FFMIN(buf_size, avctx->block_align);
nb_samples = (buf_size - 4 * ch) * 2 / ch;
break;
case AV_CODEC_ID_ADPCM_IMA_MAGIX:
if (avctx->block_align > 0)
buf_size = FFMIN(buf_size, avctx->block_align);
nb_samples = (buf_size - 4 * ch) * 2 / ch;
if (ch == 1) {
avpriv_request_sample(avctx, "mono ADPCM Magix");
return AVERROR_PATCHWELCOME;
}
break;
CASE(ADPCM_IMA_WAV,
int bsize = ff_adpcm_ima_block_sizes[avctx->bits_per_coded_sample - 2];
int bsamples = ff_adpcm_ima_block_samples[avctx->bits_per_coded_sample - 2];
@@ -1799,7 +1807,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, AVFrame *frame,
}
}
for (int m = 0; m < avctx->block_align-8; m += 8) {
for (int m = 0; m < channels*nb_samples/16; m ++) {
uint32_t v0 = bytestream2_get_le32u(&gb);
uint32_t v1 = bytestream2_get_le32u(&gb);