From: "Ronald S. Bultje" <[email protected]> We read sub_packet_h / 2 packets per line of data (during deinterleaving), which equals zero if sub_packet_h <= 1, thus causing us to not read any data, leading to an infinite loop.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: [email protected] --- libavformat/rmdec.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index ee8abdd..ed16b07 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -265,6 +265,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, switch (ast->deint_id) { case DEINT_ID_INT4: if (ast->coded_framesize > ast->audio_framesize || + sub_packet_h <= 1 || ast->coded_framesize * sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) return AVERROR_INVALIDDATA; break; -- 1.7.7.4 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
