| Message ID | 1fba15fb-40df-ec6b-1aa7-118b1ed7f483@googlemail.com |
|---|---|
| State | Accepted |
| Headers | show |
On Thu, Oct 20, 2016 at 08:19:00PM +0200, Andreas Cadhalpun wrote: > On 20.10.2016 02:59, Michael Niedermayer wrote: > > On Wed, Oct 19, 2016 at 10:41:22PM +0200, Andreas Cadhalpun wrote: > >> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> > >> --- > >> libavformat/dcstr.c | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/libavformat/dcstr.c b/libavformat/dcstr.c > >> index 69fae41..d5d2281 100644 > >> --- a/libavformat/dcstr.c > >> +++ b/libavformat/dcstr.c > >> @@ -47,7 +47,7 @@ static int dcstr_read_header(AVFormatContext *s) > >> avio_skip(s->pb, 4); > >> st->duration = avio_rl32(s->pb); > > > >> st->codecpar->channels *= avio_rl32(s->pb); > > > > This here can overflow and needs a check > > Yes. > > > > >> - if (!align || align > INT_MAX / st->codecpar->channels) > >> + if (!align || !st->codecpar->channels || align > INT_MAX / st->codecpar->channels) > >> return AVERROR_INVALIDDATA; > > > > might need a <0 check too should be ok otherwise > > OK. New patch attached. > > Best regards, > Andreas > > dcstr.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > 365ebc3a050fcccc6754a981340e0a8df5dbf781 0001-dcstr-fix-division-by-zero.patch > From 656f4ea3f664417197a622dcf80284e890caa849 Mon Sep 17 00:00:00 2001 > From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> > Date: Thu, 20 Oct 2016 20:13:54 +0200 > Subject: [PATCH] dcstr: fix division by zero > > Also check for possible overflows. > > Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> > --- > libavformat/dcstr.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) LGTM thx [...]
On 21.10.2016 01:37, Michael Niedermayer wrote: > On Thu, Oct 20, 2016 at 08:19:00PM +0200, Andreas Cadhalpun wrote: >> dcstr.c | 8 +++++++- >> 1 file changed, 7 insertions(+), 1 deletion(-) >> 365ebc3a050fcccc6754a981340e0a8df5dbf781 0001-dcstr-fix-division-by-zero.patch >> From 656f4ea3f664417197a622dcf80284e890caa849 Mon Sep 17 00:00:00 2001 >> From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> >> Date: Thu, 20 Oct 2016 20:13:54 +0200 >> Subject: [PATCH] dcstr: fix division by zero >> >> Also check for possible overflows. >> >> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> >> --- >> libavformat/dcstr.c | 8 +++++++- >> 1 file changed, 7 insertions(+), 1 deletion(-) > > LGTM Pushed. Best regards, Andreas
From 656f4ea3f664417197a622dcf80284e890caa849 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Date: Thu, 20 Oct 2016 20:13:54 +0200 Subject: [PATCH] dcstr: fix division by zero Also check for possible overflows. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> --- libavformat/dcstr.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/dcstr.c b/libavformat/dcstr.c index 69fae41..6035dd4 100644 --- a/libavformat/dcstr.c +++ b/libavformat/dcstr.c @@ -33,6 +33,7 @@ static int dcstr_probe(AVProbeData *p) static int dcstr_read_header(AVFormatContext *s) { unsigned codec, align; + int mult; AVStream *st; st = avformat_new_stream(s, NULL); @@ -46,7 +47,12 @@ static int dcstr_read_header(AVFormatContext *s) align = avio_rl32(s->pb); avio_skip(s->pb, 4); st->duration = avio_rl32(s->pb); - st->codecpar->channels *= avio_rl32(s->pb); + mult = avio_rl32(s->pb); + if (st->codecpar->channels <= 0 || mult <= 0 || mult > INT_MAX / st->codecpar->channels) { + av_log(s, AV_LOG_ERROR, "invalid number of channels %d x %d\n", st->codecpar->channels, mult); + return AVERROR_INVALIDDATA; + } + st->codecpar->channels *= mult; if (!align || align > INT_MAX / st->codecpar->channels) return AVERROR_INVALIDDATA; st->codecpar->block_align = align * st->codecpar->channels; -- 2.9.3