Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
libavformat/nistspheredec.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/libavformat/nistspheredec.c b/libavformat/nistspheredec.c
index 782d1dfbfb..3386497682 100644
--- a/libavformat/nistspheredec.c
+++ b/libavformat/nistspheredec.c
@@ -21,6 +21,7 @@
#include "libavutil/avstring.h"
#include "libavutil/intreadwrite.h"
+#include "libavcodec/internal.h"
#include "avformat.h"
#include "internal.h"
#include "pcm.h"
@@ -90,6 +91,11 @@ static int nist_read_header(AVFormatContext *s)
return 0;
} else if (!memcmp(buffer, "channel_count", 13)) {
sscanf(buffer, "%*s %*s %"SCNd32, &st->codecpar->channels);
+ if (st->codecpar->channels > FF_SANE_NB_CHANNELS) {
+ av_log(s, AV_LOG_ERROR, "Too many channels %d > %d\n",
+ st->codecpar->channels, FF_SANE_NB_CHANNELS);
+ return AVERROR(ENOSYS);
+ }
} else if (!memcmp(buffer, "sample_byte_format", 18)) {
sscanf(buffer, "%*s %*s %31s", format);
@@ -109,6 +115,11 @@ static int nist_read_header(AVFormatContext *s)
sscanf(buffer, "%*s %*s %"SCNd64, &st->duration);
} else if (!memcmp(buffer, "sample_n_bytes", 14)) {
sscanf(buffer, "%*s %*s %"SCNd32, &bps);
+ if (bps > (INT_MAX / FF_SANE_NB_CHANNELS) >> 3) {
+ av_log(s, AV_LOG_ERROR, "Too many bytes per sample %d > %d\n",
+ bps, (INT_MAX / FF_SANE_NB_CHANNELS) >> 3);
+ return AVERROR_INVALIDDATA;
+ }
} else if (!memcmp(buffer, "sample_rate", 11)) {
sscanf(buffer, "%*s %*s %"SCNd32, &st->codecpar->sample_rate);
} else if (!memcmp(buffer, "sample_sig_bits", 15)) {
--
2.11.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
