Module: libav Branch: release/0.8 Commit: 0e4bb0530f7d4cb1343499ee2bf0cb943d3b9a41
Author: Ronald S. Bultje <[email protected]> Committer: Reinhard Tartler <[email protected]> Date: Thu Mar 29 12:44:55 2012 -0700 tta: prevents overflows for 32bit integers in header. This prevents sample_rate/data_length from going negative, which caused various crashes and undefined behaviour further down. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: [email protected] (cherry picked from commit ac80b812cd177553339467ea12548d71c9ef6865) Signed-off-by: Reinhard Tartler <[email protected]> --- libavcodec/tta.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 985bf0c..1743f7d 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -61,7 +61,8 @@ typedef struct TTAContext { GetBitContext gb; const AVCRC *crc_table; - int format, channels, bps, data_length; + int format, channels, bps; + unsigned data_length; int frame_length, last_frame_length, total_frames; int32_t *decode_buffer; @@ -265,7 +266,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) } // prevent overflow - if (avctx->sample_rate > 0x7FFFFF) { + if (avctx->sample_rate > 0x7FFFFFu) { av_log(avctx, AV_LOG_ERROR, "sample_rate too large\n"); return AVERROR(EINVAL); } @@ -282,7 +283,8 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) s->data_length, s->frame_length, s->last_frame_length, s->total_frames); // FIXME: seek table - if (get_bits_left(&s->gb) < 32 * s->total_frames + 32) + if (avctx->extradata_size <= 26 || s->total_frames > INT_MAX / 4 || + avctx->extradata_size - 26 < s->total_frames * 4) av_log(avctx, AV_LOG_WARNING, "Seek table missing or too small\n"); else if (avctx->err_recognition & AV_EF_CRCCHECK) { if (tta_check_crc(s, avctx->extradata + 22, s->total_frames * 4)) _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
