On Sat, Sep 17, 2011 at 09:49:04PM +0200, Laurent Aimar wrote: > On Sat, Sep 17, 2011 at 04:56:33PM +0200, [email protected] wrote: > > From: Laurent Aimar <[email protected]> > > > > --- > > libavformat/rmdec.c | 10 ++++++---- > > 1 files changed, 6 insertions(+), 4 deletions(-) > > > > diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c > > index 1c96573..81f563e 100644 > > --- a/libavformat/rmdec.c > > +++ b/libavformat/rmdec.c > > @@ -215,8 +215,9 @@ static int rm_read_audio_stream_info(AVFormatContext > > *s, AVIOContext *pb, > > ast->audio_framesize = st->codec->block_align; > > st->codec->block_align = coded_framesize; > > > > - if(ast->audio_framesize >= UINT_MAX / sub_packet_h){ > > - av_log(s, AV_LOG_ERROR, "ast->audio_framesize * > > sub_packet_h too large\n"); > > + if (ast->audio_framesize <= 0 || sub_packet_h <= 0 || > > + ast->audio_framesize >= UINT_MAX / sub_packet_h){ > > + av_log(s, AV_LOG_ERROR, "ast->audio_framesize * > > sub_packet_h is invalid\n"); > > return -1; > > } > > > > @@ -252,8 +253,9 @@ static int rm_read_audio_stream_info(AVFormatContext > > *s, AVIOContext *pb, > > if ((ret = rm_read_extradata(pb, st->codec, codecdata_length)) > > < 0) > > return ret; > > > > - if(ast->audio_framesize >= UINT_MAX / sub_packet_h){ > > - av_log(s, AV_LOG_ERROR, "rm->audio_framesize * > > sub_packet_h too large\n"); > > + if (ast->audio_framesize <= 0 || sub_packet_h <= 0 || > > + ast->audio_framesize >= UINT_MAX / sub_packet_h){ > > + av_log(s, AV_LOG_ERROR, "rm->audio_framesize * > > sub_packet_h is invalid\n"); > > return -1; > > } > > Withdrawn, I will merge it with: > - "Reject invalid deinterleaving parameters in the RM demuxer." > - "Prevent the RM demuxer from returning uninitialized AVPacket in case of > corrupted streams." > it will be simpler/more logical.
Patch attached. -- fenrir
>From c0977288030a4d8fdc161a363538ca1d130e8f2c Mon Sep 17 00:00:00 2001 From: Laurent Aimar <[email protected]> Date: Sat, 17 Sep 2011 00:05:13 +0200 Subject: [PATCH] Reject invalid deinterleaving parameters in the RM demuxer. --- libavformat/rmdec.c | 57 +++++++++++++++++++++++++++----------------------- 1 files changed, 31 insertions(+), 26 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 02ff7e9..be5f325 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -194,18 +194,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, st->codec->codec_id = ff_codec_get_id(ff_rm_codec_tags, st->codec->codec_tag); - switch (ast->deint_id) { - case DEINT_ID_GENR: - case DEINT_ID_INT0: - case DEINT_ID_INT4: - case DEINT_ID_SIPR: - case DEINT_ID_VBRS: - case DEINT_ID_VBRF: - break; - default: - av_log(NULL,0,"Unknown interleaver %X\n", ast->deint_id); - return AVERROR_INVALIDDATA; - } switch (st->codec->codec_id) { case CODEC_ID_AC3: st->need_parsing = AVSTREAM_PARSE_FULL; @@ -214,13 +202,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, st->codec->extradata_size= 0; ast->audio_framesize = st->codec->block_align; st->codec->block_align = coded_framesize; - - if(ast->audio_framesize >= UINT_MAX / sub_packet_h){ - av_log(s, AV_LOG_ERROR, "ast->audio_framesize * sub_packet_h too large\n"); - return -1; - } - - av_new_packet(&ast->pkt, ast->audio_framesize * sub_packet_h); break; case CODEC_ID_COOK: case CODEC_ID_ATRAC3: @@ -251,13 +232,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, } if ((ret = rm_read_extradata(pb, st->codec, codecdata_length)) < 0) return ret; - - if(ast->audio_framesize >= UINT_MAX / sub_packet_h){ - av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h too large\n"); - return -1; - } - - av_new_packet(&ast->pkt, ast->audio_framesize * sub_packet_h); break; case CODEC_ID_AAC: avio_rb16(pb); avio_r8(pb); @@ -277,6 +251,37 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, default: av_strlcpy(st->codec->codec_name, buf, sizeof(st->codec->codec_name)); } + if (ast->deint_id == DEINT_ID_INT4 || + ast->deint_id == DEINT_ID_GENR || + ast->deint_id == DEINT_ID_SIPR) { + if (st->codec->block_align <= 0 || + ast->audio_framesize * sub_packet_h > (unsigned)INT_MAX || + ast->audio_framesize * sub_packet_h < st->codec->block_align) + return AVERROR_INVALIDDATA; + if (av_new_packet(&ast->pkt, ast->audio_framesize * sub_packet_h) < 0) + return AVERROR(ENOMEM); + } + switch (ast->deint_id) { + case DEINT_ID_INT4: + if (ast->coded_framesize > ast->audio_framesize || + ast->coded_framesize * sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) + return AVERROR_INVALIDDATA; + break; + case DEINT_ID_GENR: + if (ast->sub_packet_size <= 0 || + ast->sub_packet_size > ast->audio_framesize) + return AVERROR_INVALIDDATA; + break; + case DEINT_ID_SIPR: + case DEINT_ID_INT0: + case DEINT_ID_VBRS: + case DEINT_ID_VBRF: + break; + default: + av_log(NULL,0,"Unknown interleaver %X\n", ast->deint_id); + return AVERROR_INVALIDDATA; + } + if (read_all) { avio_r8(pb); avio_r8(pb); -- 1.7.2.5
_______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
