diff options
| author | Martin Storsjö <martin@martin.st> | 2013-09-03 11:54:03 +0300 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2014-05-31 20:07:52 -0400 |
| commit | 110680c5a2098505400f4fdff4c994020a377d19 (patch) | |
| tree | b5d59727170ed307fb986f9fb191934d8dcafdd9 | |
| parent | 7fa72700298107fe756311ecb4dee5270ff12d35 (diff) | |
| download | ffmpeg-110680c5a2098505400f4fdff4c994020a377d19.tar.gz | |
alac: Limit max_samples_per_frame
Otherwise buffer size calculations in allocate_buffers could
overflow later, making the code think a large enough buffer
actually was allocated.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
| -rw-r--r-- | libavcodec/alac.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/libavcodec/alac.c b/libavcodec/alac.c index da789087fd..23b8951169 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -584,6 +584,12 @@ static int alac_set_info(ALACContext *alac) /* buffer size / 2 ? */ alac->setinfo_max_samples_per_frame = bytestream_get_be32(&ptr); + if (!alac->setinfo_max_samples_per_frame || + alac->setinfo_max_samples_per_frame > INT_MAX / sizeof(int32_t)) { + av_log(alac->avctx, AV_LOG_ERROR, "max samples per frame invalid: %u\n", + alac->setinfo_max_samples_per_frame); + return AVERROR_INVALIDDATA; + } ptr++; /* compatible version */ alac->setinfo_sample_size = *ptr++; alac->setinfo_rice_historymult = *ptr++; |