Hi, On Tue, Feb 21, 2012 at 10:36 AM, Ronald S. Bultje <[email protected]> wrote: > From: "Ronald S. Bultje" <[email protected]> > > We read sub_packet_h / 2 packets per line of data (during deinterleaving), > which equals zero if sub_packet_h <= 1, thus causing us to not read any > data, leading to an infinite loop. > > Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind > CC: [email protected] > --- > libavformat/rmdec.c | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) > > diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c > index ee8abdd..ed16b07 100644 > --- a/libavformat/rmdec.c > +++ b/libavformat/rmdec.c > @@ -265,6 +265,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, > AVIOContext *pb, > switch (ast->deint_id) { > case DEINT_ID_INT4: > if (ast->coded_framesize > ast->audio_framesize || > + sub_packet_h <= 1 || > ast->coded_framesize * sub_packet_h > (2 + (sub_packet_h & > 1)) * ast->audio_framesize) > return AVERROR_INVALIDDATA;
Ping. This fixes an infinite loop on files using INT4 deinterleaving and coding 1 or 0 as sub_packet_h. Ronald _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
