diff options
| author | Martin Storsjö <martin@martin.st> | 2013-09-16 21:27:49 +0300 |
|---|---|---|
| committer | Luca Barbato <lu_zero@gentoo.org> | 2013-10-04 03:26:27 +0200 |
| commit | 00516b5491fbd99e4057f21eae231fc02cc596e3 (patch) | |
| tree | 64ef13ad2213ce40dcd56bba47c294cdd7ed3c26 | |
| parent | 3706c229920115f022876ef07b16217dce504db6 (diff) | |
| download | ffmpeg-00516b5491fbd99e4057f21eae231fc02cc596e3.tar.gz | |
xmv: Add more sanity checks for parameters read from the bitstream
Since the number of channels is multiplied by 36 and assigned to
to a uint16_t, make sure this calculation didn't overflow. (In
certain cases the calculation could overflow leaving the
truncated block_align at 0, leading to divisions by zero later.)
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d4c2a3740fb95f952a87ba320d2bf31f126bdf68)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
| -rw-r--r-- | libavformat/xmv.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/libavformat/xmv.c b/libavformat/xmv.c index d491dec8f6..201dc3ac72 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -43,6 +43,8 @@ XMV_AUDIO_ADPCM51_FRONTCENTERLOW | \ XMV_AUDIO_ADPCM51_REARLEFTRIGHT) +#define XMV_BLOCK_ALIGN_SIZE 36 + typedef struct XMVAudioTrack { uint16_t compression; uint16_t channels; @@ -207,7 +209,7 @@ static int xmv_read_header(AVFormatContext *s) track->bit_rate = track->bits_per_sample * track->sample_rate * track->channels; - track->block_align = 36 * track->channels; + track->block_align = XMV_BLOCK_ALIGN_SIZE * track->channels; track->block_samples = 64; track->codec_id = ff_wav_codec_get_id(track->compression, track->bits_per_sample); @@ -224,7 +226,8 @@ static int xmv_read_header(AVFormatContext *s) av_log(s, AV_LOG_WARNING, "Unsupported 5.1 ADPCM audio stream " "(0x%04X)\n", track->flags); - if (!track->channels || !track->sample_rate) { + if (!track->channels || !track->sample_rate || + track->channels >= UINT16_MAX / XMV_BLOCK_ALIGN_SIZE) { av_log(s, AV_LOG_ERROR, "Invalid parameters for audio track %d.\n", audio_track); ret = AVERROR_INVALIDDATA; |