rmdec: when using INT4 deinterleaving, error out if sub_packet_h <= 1.

We read sub_packet_h / 2 packets per line of data (during deinterleaving), which equals zero if sub_packet_h <= 1, thus causing us to not read any data, leading to an infinite loop. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
author: Ronald S. Bultje <rsbultje@gmail.com> 2012-02-21 10:36:27 -0800
committer: Ronald S. Bultje <rsbultje@gmail.com> 2012-02-22 09:17:27 -0800
commit: e30b3e59a4f3004337cb1623b2aac988ce52b93f (patch)
tree: ea397dc8de54b6b9bad4a68a783b1e013f81cf75 /libavformat/rmdec.c
parent: 58700edb94a3ddd7267fd7430d19b4a7e2a6b82b (diff)
download: ffmpeg-e30b3e59a4f3004337cb1623b2aac988ce52b93f.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index ee8abdd800..ed16b0715c 100644
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -265,6 +265,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb,
         switch (ast->deint_id) {
         case DEINT_ID_INT4:
             if (ast->coded_framesize > ast->audio_framesize ||
+                sub_packet_h <= 1 ||
                 ast->coded_framesize * sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize)
                 return AVERROR_INVALIDDATA;
             break;
author	Ronald S. Bultje <rsbultje@gmail.com>	2012-02-21 10:36:27 -0800
committer	Ronald S. Bultje <rsbultje@gmail.com>	2012-02-22 09:17:27 -0800
commit	e30b3e59a4f3004337cb1623b2aac988ce52b93f (patch)
tree	ea397dc8de54b6b9bad4a68a783b1e013f81cf75 /libavformat/rmdec.c
parent	58700edb94a3ddd7267fd7430d19b4a7e2a6b82b (diff)
download	ffmpeg-e30b3e59a4f3004337cb1623b2aac988ce52b93f.tar.gz