From patchwork Thu Oct 20 18:19:00 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
X-Patchwork-Id: 1092
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.140.133 with SMTP id o127csp754011vsd;
	Thu, 20 Oct 2016 11:19:13 -0700 (PDT)
X-Received: by 10.194.116.167 with SMTP id jx7mr1145072wjb.218.1476987553876;
	Thu, 20 Oct 2016 11:19:13 -0700 (PDT)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	bp10si62944386wjc.237.2016.10.20.11.19.11;
	Thu, 20 Oct 2016 11:19:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@googlemail.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=QUARANTINE dis=NONE) header.from=googlemail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E1A2B6897C0;
	Thu, 20 Oct 2016 21:19:06 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-lf0-f65.google.com (mail-lf0-f65.google.com
	[209.85.215.65])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id E93876891DC
	for <ffmpeg-devel@ffmpeg.org>; Thu, 20 Oct 2016 21:18:59 +0300 (EEST)
Received: by mail-lf0-f65.google.com with SMTP id l131so1396255lfl.0
	for <ffmpeg-devel@ffmpeg.org>; Thu, 20 Oct 2016 11:19:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlemail.com; s=20120113;
	h=from:subject:to:references:message-id:date:user-agent:mime-version
	:in-reply-to; bh=QPklwJcY6PwPqgN5J001DAtVmAt8PurNno7kCYQJkDM=;
	b=HgEHWnRbEbz6gTnbxAThWcmzmILVzSZ65YMdOmd94R2/W4COU93T4WAouUpMYBJnnB
	QyB8OHFoJ/o2JNSSZ13X8k2MfbQogJNYwQZLFu6aH3K7ULm2kE/+/xuGoIv9gUYTpoCY
	kE3lEJ622LKmHWrwnNhHk1pE3ImhfniFnUmYHk2XQZ4OzCFRRW9TWyzmi/gXTe7u0TYK
	qGfzKCNrRi7PNgwEdl3lLvQOnGGusNmgc8t49vmbAKo4G8E8KCoyjJGUNAfliig1Or2K
	NFyfPfy9tMrIi3HlZYdhU8jNf48CtKorM0y+5dGdYShio0usbe+8f4pu5sURQgoW13AE
	4jhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:subject:to:references:message-id:date
	:user-agent:mime-version:in-reply-to;
	bh=QPklwJcY6PwPqgN5J001DAtVmAt8PurNno7kCYQJkDM=;
	b=TZ2zyzo5lW02zbBL/Z1CiZFW9FlccTjdlJ4UexKUK4VWVU17ChMAOo8s/M5P1H5x/Q
	fNZ027hzy6vpRp58QrTKg1RgFEE46w4HLrfvjYOXpCnGwSo9F6dxY0BnwOy8uf0/BLKR
	uiVeICeSvunDi12DvPaxWB+8h0g4ms5Sn+WwnlmwVaqeab+pCglVq3bA5bivzFZnVdSU
	+dkM41LQ1dgLLx9O16/x33KufVmYCtogMwq+PbvkU6ZHil5OR3eE4wvqkQYTdwCu/5Tq
	QO6Os2TjtLZEX49LoaVI5upWrXLXxF0ghb8xwm4odL79q6+sG9nBiVBeMFS9xSWKpaex
	hnwQ==
X-Gm-Message-State: 
 AA6/9RlqJCHhLMlEEM1dPO31aqrvsqhNshvsIs9Euq+E1Oh2YKqLJv0A5lT4/Vlc+U+jZQ==
X-Received: by 10.25.20.100 with SMTP id k97mr3238248lfi.127.1476987542363;
	Thu, 20 Oct 2016 11:19:02 -0700 (PDT)
Received: from [192.168.2.21] (pD9E8EB48.dip0.t-ipconnect.de.
	[217.232.235.72]) by smtp.googlemail.com with ESMTPSA id
	e38sm12651476lji.38.2016.10.20.11.19.01
	for <ffmpeg-devel@ffmpeg.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 20 Oct 2016 11:19:01 -0700 (PDT)
From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
X-Google-Original-From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
To: ffmpeg-devel@ffmpeg.org
References: <b47cfd80-3480-65c6-3686-35eb34be3a9a@googlemail.com>
	<20161020005944.GO4602@nb4>
Message-ID: <1fba15fb-40df-ec6b-1aa7-118b1ed7f483@googlemail.com>
Date: Thu, 20 Oct 2016 20:19:00 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
	Icedove/45.4.0
MIME-Version: 1.0
In-Reply-To: <20161020005944.GO4602@nb4>
Subject: Re: [FFmpeg-devel] [PATCH] dcstr: fix division by zero
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

On 20.10.2016 02:59, Michael Niedermayer wrote:
> On Wed, Oct 19, 2016 at 10:41:22PM +0200, Andreas Cadhalpun wrote:
>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
>> ---
>>  libavformat/dcstr.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/libavformat/dcstr.c b/libavformat/dcstr.c
>> index 69fae41..d5d2281 100644
>> --- a/libavformat/dcstr.c
>> +++ b/libavformat/dcstr.c
>> @@ -47,7 +47,7 @@ static int dcstr_read_header(AVFormatContext *s)
>>      avio_skip(s->pb, 4);
>>      st->duration           = avio_rl32(s->pb);
> 
>>      st->codecpar->channels   *= avio_rl32(s->pb);
> 
> This here can overflow and needs a check

Yes.

> 
>> -    if (!align || align > INT_MAX / st->codecpar->channels)
>> +    if (!align || !st->codecpar->channels || align > INT_MAX / st->codecpar->channels)
>>          return AVERROR_INVALIDDATA;
> 
> might need a <0 check too should be ok otherwise

OK. New patch attached.

Best regards,
Andreas

From 656f4ea3f664417197a622dcf80284e890caa849 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Date: Thu, 20 Oct 2016 20:13:54 +0200
Subject: [PATCH] dcstr: fix division by zero

Also check for possible overflows.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
---
 libavformat/dcstr.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavformat/dcstr.c b/libavformat/dcstr.c
index 69fae41..6035dd4 100644
--- a/libavformat/dcstr.c
+++ b/libavformat/dcstr.c
@@ -33,6 +33,7 @@ static int dcstr_probe(AVProbeData *p)
 static int dcstr_read_header(AVFormatContext *s)
 {
     unsigned codec, align;
+    int mult;
     AVStream *st;
 
     st = avformat_new_stream(s, NULL);
@@ -46,7 +47,12 @@ static int dcstr_read_header(AVFormatContext *s)
     align                  = avio_rl32(s->pb);
     avio_skip(s->pb, 4);
     st->duration           = avio_rl32(s->pb);
-    st->codecpar->channels   *= avio_rl32(s->pb);
+    mult                   = avio_rl32(s->pb);
+    if (st->codecpar->channels <= 0 || mult <= 0 || mult > INT_MAX / st->codecpar->channels) {
+        av_log(s, AV_LOG_ERROR, "invalid number of channels %d x %d\n", st->codecpar->channels, mult);
+        return AVERROR_INVALIDDATA;
+    }
+    st->codecpar->channels *= mult;
     if (!align || align > INT_MAX / st->codecpar->channels)
         return AVERROR_INVALIDDATA;
     st->codecpar->block_align = align * st->codecpar->channels;
-- 
2.9.3