diff options
author | Laurent Aimar <fenrir@videolan.org> | 2011-09-17 00:05:13 +0200 |
---|---|---|
committer | Martin Storsjö <martin@martin.st> | 2011-09-19 15:45:22 +0300 |
commit | f06068bbd6ed1f831dee0b0ee46e00ebe42ec1e2 (patch) | |
tree | 39799effceff2a04d7d235c3ed87be5b02eeabcc /libavformat | |
parent | b4ed3d78cb6c41c9d3ee5918c326ab925edd6a89 (diff) | |
download | ffmpeg-f06068bbd6ed1f831dee0b0ee46e00ebe42ec1e2.tar.gz |
rmdec: Reject invalid deinterleaving parameters
Signed-off-by: Martin Storsjö <martin@martin.st>
Diffstat (limited to 'libavformat')
-rw-r--r-- | libavformat/rmdec.c | 57 |
1 files changed, 31 insertions, 26 deletions
diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 4b891817af..56ad3313cf 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -194,18 +194,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, st->codec->codec_id = ff_codec_get_id(ff_rm_codec_tags, st->codec->codec_tag); - switch (ast->deint_id) { - case DEINT_ID_GENR: - case DEINT_ID_INT0: - case DEINT_ID_INT4: - case DEINT_ID_SIPR: - case DEINT_ID_VBRS: - case DEINT_ID_VBRF: - break; - default: - av_log(NULL,0,"Unknown interleaver %X\n", ast->deint_id); - return AVERROR_INVALIDDATA; - } switch (st->codec->codec_id) { case CODEC_ID_AC3: st->need_parsing = AVSTREAM_PARSE_FULL; @@ -214,13 +202,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, st->codec->extradata_size= 0; ast->audio_framesize = st->codec->block_align; st->codec->block_align = coded_framesize; - - if(ast->audio_framesize >= UINT_MAX / sub_packet_h){ - av_log(s, AV_LOG_ERROR, "ast->audio_framesize * sub_packet_h too large\n"); - return -1; - } - - av_new_packet(&ast->pkt, ast->audio_framesize * sub_packet_h); break; case CODEC_ID_COOK: case CODEC_ID_ATRAC3: @@ -251,13 +232,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, } if ((ret = rm_read_extradata(pb, st->codec, codecdata_length)) < 0) return ret; - - if(ast->audio_framesize >= UINT_MAX / sub_packet_h){ - av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h too large\n"); - return -1; - } - - av_new_packet(&ast->pkt, ast->audio_framesize * sub_packet_h); break; case CODEC_ID_AAC: avio_rb16(pb); avio_r8(pb); @@ -277,6 +251,37 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, default: av_strlcpy(st->codec->codec_name, buf, sizeof(st->codec->codec_name)); } + if (ast->deint_id == DEINT_ID_INT4 || + ast->deint_id == DEINT_ID_GENR || + ast->deint_id == DEINT_ID_SIPR) { + if (st->codec->block_align <= 0 || + ast->audio_framesize * sub_packet_h > (unsigned)INT_MAX || + ast->audio_framesize * sub_packet_h < st->codec->block_align) + return AVERROR_INVALIDDATA; + if (av_new_packet(&ast->pkt, ast->audio_framesize * sub_packet_h) < 0) + return AVERROR(ENOMEM); + } + switch (ast->deint_id) { + case DEINT_ID_INT4: + if (ast->coded_framesize > ast->audio_framesize || + ast->coded_framesize * sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) + return AVERROR_INVALIDDATA; + break; + case DEINT_ID_GENR: + if (ast->sub_packet_size <= 0 || + ast->sub_packet_size > ast->audio_framesize) + return AVERROR_INVALIDDATA; + break; + case DEINT_ID_SIPR: + case DEINT_ID_INT0: + case DEINT_ID_VBRS: + case DEINT_ID_VBRF: + break; + default: + av_log(NULL,0,"Unknown interleaver %X\n", ast->deint_id); + return AVERROR_INVALIDDATA; + } + if (read_all) { avio_r8(pb); avio_r8(pb); |