From patchwork Sun Jan  1 22:51:28 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
X-Patchwork-Id: 2015
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.89.21 with SMTP id n21csp3744522vsb;
	Sun, 1 Jan 2017 14:51:39 -0800 (PST)
X-Received: by 10.28.150.75 with SMTP id y72mr52757741wmd.47.1483311099220;
	Sun, 01 Jan 2017 14:51:39 -0800 (PST)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	jo4si45191353wjc.161.2017.01.01.14.51.38;
	Sun, 01 Jan 2017 14:51:39 -0800 (PST)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@googlemail.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=QUARANTINE dis=QUARANTINE) header.from=googlemail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 65D3E689B7F;
	Mon,  2 Jan 2017 00:51:32 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-wm0-f67.google.com (mail-wm0-f67.google.com
	[74.125.82.67])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D0CF8680A88
	for <ffmpeg-devel@ffmpeg.org>; Mon,  2 Jan 2017 00:51:26 +0200 (EET)
Received: by mail-wm0-f67.google.com with SMTP id u144so79860685wmu.0
	for <ffmpeg-devel@ffmpeg.org>; Sun, 01 Jan 2017 14:51:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlemail.com; s=20161025;
	h=from:subject:to:references:cc:message-id:date:user-agent
	:mime-version:in-reply-to;
	bh=iyW1ZVHXwP0Jf76lEHGhfWR4W8aqqAXWEW3a3OvDccI=;
	b=MvqMld1UUJx9aNLIpFAXWcSE6tPQxlak/c0BYL2buv8suYqKrlr36kAL8CbKVWSToU
	D6Nd6IJhROfe8JHMkyUFvHvhLdDu4EBFAYbdlgxutleb9myPWqz9fD1hRgTgbKFOzXwP
	vrT1z/G+f/tlDVZzSWH7dUZtHvu3N6zfj5WWWrGltpbrfzYH3YSKOPFWaOVHBO2w+Rg0
	TeasPjAkqEQ/Nf+3aUc/WFunbXhBRAtk021wDQKVzUBLbaz/MeA+FY8Qts+FETYmEI6Q
	oDW0ZRP8xEfdSaXHd0aiH+LQVcjAaFd7Z8Uk8kiOSaoLPTL5vSdWW/+65UC41fHTQJ+G
	l4Sg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:subject:to:references:cc:message-id:date
	:user-agent:mime-version:in-reply-to;
	bh=iyW1ZVHXwP0Jf76lEHGhfWR4W8aqqAXWEW3a3OvDccI=;
	b=USuyrpLI8KN4JIwf3XVLU5nQbWY+nceDcJ3tFT4ySoiKzWEy4GjOhhbesaurQuNGFm
	vv6bfDaK+VGGhAForQi+LXRrGVjhAcmirkmoXb4MaHOqeaPMhn60JIGArhC+w+xRO2MU
	s3nB6UwFg5q5aiddZI4Mc1/DVdDi5qOKzp5pESWpIONC2LwoW52liOCZCFRJ2SmtshUC
	fH/k4D0OatEoOcD/xjvDZWvLUr3pgfETUnC2wpmrZOqf2VBKkqIIYZZiUkjkXjUFra1o
	gKsX3kyvB6gVhpJUO8CxDWlPKa9CkvI5rZr6/KKWlz/N8Cm5rjTPok3qcmjrxnEqIa3k
	uGHw==
X-Gm-Message-State: 
 AIkVDXKcUNHj1gRwdDzg6ZzPFjhpC8iOA7frRu85vQk+olzQbnNC28Y/i4eaiA/7jZa8/g==
X-Received: by 10.28.36.193 with SMTP id k184mr44590573wmk.40.1483311090235;
	Sun, 01 Jan 2017 14:51:30 -0800 (PST)
Received: from [192.168.2.21] (pD9E8F88B.dip0.t-ipconnect.de.
	[217.232.248.139]) by smtp.googlemail.com with ESMTPSA id
	ef10sm84798648wjd.22.2017.01.01.14.51.29
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sun, 01 Jan 2017 14:51:29 -0800 (PST)
From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
X-Google-Original-From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
To: "Ronald S. Bultje" <rsbultje@gmail.com>
References: <b8de4168-3507-c9c0-8ce7-75feec55b47b@googlemail.com>
	<ca829ea2-386a-ff6e-e93e-66843061a1ae@googlemail.com>
	<CAEEMt2mFMJ3Cz5SuOMbwbLi7id38UkxC=P9uovM7YfZeeyybng@mail.gmail.com>
Message-ID: <56da961b-99da-808b-b283-4579c006728c@googlemail.com>
Date: Sun, 1 Jan 2017 23:51:28 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
	Icedove/45.4.0
MIME-Version: 1.0
In-Reply-To: 
 <CAEEMt2mFMJ3Cz5SuOMbwbLi7id38UkxC=P9uovM7YfZeeyybng@mail.gmail.com>
Subject: Re: [FFmpeg-devel] [PATCH 2/2] wmavoice: prevent division by zero
	crash
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Cc: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

On 01.01.2017 23:23, Ronald S. Bultje wrote:
> On Sun, Jan 1, 2017 at 5:19 PM, Andreas Cadhalpun <andreas.cadhalpun@googlemail.com <mailto:andreas.cadhalpun@googlemail.com>> wrote:
> 
>     The problem was introduced by commit
>     3deb4b54a24f8cddce463d9f5751b01efeb976af.
> 
>     Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com <mailto:Andreas.Cadhalpun@googlemail.com>>
>     ---
>      libavcodec/wmavoice.c | 2 +-
>      1 file changed, 1 insertion(+), 1 deletion(-)
> 
>     diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
>     index 1bfad46b2e..279b44dc12 100644
>     --- a/libavcodec/wmavoice.c
>     +++ b/libavcodec/wmavoice.c
>     @@ -1908,7 +1908,7 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data,
>          /* size == ctx->block_align is used to indicate whether we are dealing with
>           * a new packet or a packet of which we already read the packet header
>           * previously. */
>     -    if (!(size % ctx->block_align)) { // new packet header
>     +    if (ctx->block_align && !(size % ctx->block_align)) { // new packet header
>              if (!size) {
>                  s->spillover_nbits = 0;
>                  s->nb_superframes = 0;
>     --
>     2.11.0
> 
> 
> nak.
> 
> The init routine should error out if block_align is zero.
> The codec can not operate without block_align set.

Fine for me. Patch doing that is attached.

Best regards,
Andreas

From caec0e9f57ddc2373d3e2cb56ed1e6c3ce0df166 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Date: Sun, 1 Jan 2017 22:48:38 +0100
Subject: [PATCH] wmavoice: validate block alignment

This prevents a division by zero crash in wmavoice_decode_packet.

The problem was introduced by commit
3deb4b54a24f8cddce463d9f5751b01efeb976af.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
---
 libavcodec/wmavoice.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
index 1bfad46b2e..080ec86b53 100644
--- a/libavcodec/wmavoice.c
+++ b/libavcodec/wmavoice.c
@@ -388,6 +388,11 @@ static av_cold int wmavoice_decode_init(AVCodecContext *ctx)
                ctx->extradata_size);
         return AVERROR_INVALIDDATA;
     }
+    if (ctx->block_align <= 0) {
+        av_log(ctx, AV_LOG_ERROR, "Invalid block alignment %d.\n", ctx->block_align);
+        return AVERROR_INVALIDDATA;
+    }
+
     flags                = AV_RL32(ctx->extradata + 18);
     s->spillover_bitsize = 3 + av_ceil_log2(ctx->block_align);
     s->do_apf            =    flags & 0x1;
-- 
2.11.0