From 2386e24e38bbf9847870dfec22998e8fa252e359 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Date: Thu, 15 Dec 2016 02:14:49 +0100
Subject: [PATCH] nistspheredec: prevent overflow during block alignment
calculation
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
---
libavformat/nistspheredec.c | 5 +++++
1 file changed, 5 insertions(+)
@@ -21,6 +21,7 @@
#include "libavutil/avstring.h"
#include "libavutil/intreadwrite.h"
+#include "libavcodec/internal.h"
#include "avformat.h"
#include "internal.h"
#include "pcm.h"
@@ -90,6 +91,8 @@ static int nist_read_header(AVFormatContext *s)
return 0;
} else if (!memcmp(buffer, "channel_count", 13)) {
sscanf(buffer, "%*s %*s %"SCNd32, &st->codecpar->channels);
+ if (st->codecpar->channels > FF_SANE_NB_CHANNELS)
+ return AVERROR(ENOSYS);
} else if (!memcmp(buffer, "sample_byte_format", 18)) {
sscanf(buffer, "%*s %*s %31s", format);
@@ -109,6 +112,8 @@ static int nist_read_header(AVFormatContext *s)
sscanf(buffer, "%*s %*s %"SCNd64, &st->duration);
} else if (!memcmp(buffer, "sample_n_bytes", 14)) {
sscanf(buffer, "%*s %*s %"SCNd32, &bps);
+ if (bps > (INT_MAX / FF_SANE_NB_CHANNELS) >> 3)
+ return AVERROR_INVALIDDATA;
} else if (!memcmp(buffer, "sample_rate", 11)) {
sscanf(buffer, "%*s %*s %"SCNd32, &st->codecpar->sample_rate);
} else if (!memcmp(buffer, "sample_sig_bits", 15)) {
--
2.11.0