aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2016-12-03 03:40:55 +0100
committerMichael Niedermayer <michael@niedermayer.cc>2016-12-03 04:10:31 +0100
commitf202fefdb0ac86eb2b0e88f11bb63b7f9d2e2bc1 (patch)
tree51f48cd4bb2b56397d1cfdaafc8f3a1082594dab /libavformat
parent3af916db3705593a4408bb25671a1ecf5dec813f (diff)
downloadffmpeg-f202fefdb0ac86eb2b0e88f11bb63b7f9d2e2bc1.tar.gz
avformat/oggparsespeex: Check frames_per_packet and packet_size
The speex specification does not seem to restrict these values, thus the limits where choosen so as to avoid multiplicative overflow Fixes undefined behavior Fixes: 635422.ogg Found-by: Matt Wolenetz <wolenetz@google.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit afcf15b0dbb4b6429be5083e50b296cdca61875e) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavformat')
-rw-r--r--libavformat/oggparsespeex.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/libavformat/oggparsespeex.c b/libavformat/oggparsespeex.c
index 9b5c65f453..55bf72b221 100644
--- a/libavformat/oggparsespeex.c
+++ b/libavformat/oggparsespeex.c
@@ -74,6 +74,13 @@ static int speex_header(AVFormatContext *s, int idx) {
spxp->packet_size = AV_RL32(p + 56);
frames_per_packet = AV_RL32(p + 64);
+ if (spxp->packet_size < 0 ||
+ frames_per_packet < 0 ||
+ spxp->packet_size * (int64_t)frames_per_packet > INT32_MAX / 256) {
+ av_log(s, AV_LOG_ERROR, "invalid packet_size, frames_per_packet %d %d\n", spxp->packet_size, frames_per_packet);
+ spxp->packet_size = 0;
+ return AVERROR_INVALIDDATA;
+ }
if (frames_per_packet)
spxp->packet_size *= frames_per_packet;