diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2016-12-03 03:40:55 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2016-12-04 20:25:15 +0100 |
| commit | e9003828dd7ea167133266e3c6bd7a8f3ed200fb (patch) | |
| tree | 0c887c9d0ad82dfdfca3f3eebcd3329c9fec19cb | |
| parent | 66e8f87ebc7897d0b7a92ff748c53481e990a670 (diff) | |
| download | ffmpeg-e9003828dd7ea167133266e3c6bd7a8f3ed200fb.tar.gz | |
avformat/oggparsespeex: Check frames_per_packet and packet_size
The speex specification does not seem to restrict these values, thus
the limits where choosen so as to avoid multiplicative overflow
Fixes undefined behavior
Fixes: 635422.ogg
Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit afcf15b0dbb4b6429be5083e50b296cdca61875e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavformat/oggparsespeex.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/libavformat/oggparsespeex.c b/libavformat/oggparsespeex.c index c86b12713e..3440a501c4 100644 --- a/libavformat/oggparsespeex.c +++ b/libavformat/oggparsespeex.c @@ -76,6 +76,13 @@ static int speex_header(AVFormatContext *s, int idx) { spxp->packet_size = AV_RL32(p + 56); frames_per_packet = AV_RL32(p + 64); + if (spxp->packet_size < 0 || + frames_per_packet < 0 || + spxp->packet_size * (int64_t)frames_per_packet > INT32_MAX / 256) { + av_log(s, AV_LOG_ERROR, "invalid packet_size, frames_per_packet %d %d\n", spxp->packet_size, frames_per_packet); + spxp->packet_size = 0; + return AVERROR_INVALIDDATA; + } if (frames_per_packet) spxp->packet_size *= frames_per_packet; |