| Message ID | 20200423030741.12158-1-andreas.rheinhardt@gmail.com |
|---|---|
| State | Accepted |
| Commit | 8287c201536e52f2765cfa9a70551814a6f36ebb |
| Headers | show |
| Series | [FFmpeg-devel,01/11] avformat/matroskadec: Reject sipr flavor > 3 | expand |
| Context | Check | Description |
|---|---|---|
| andriy/default | pending | |
| andriy/make | success | Make finished |
| andriy/make_fate | success | Make fate finished |
Andreas Rheinhardt: > Only flavors 0..3 seem to exist. E.g. rmdec.c treats any flavor > 3 > as invalid data. Furthermore, we do not know how big the packets to > create ought to be given that for sipr these values are not read from > the bitstream, but from a table. > > Furthermore, flavor is only used for sipr, so only check it for sipr; > rmdec.c does the same. (The old check for flavor being < 0 was > always wrong given that flavor is an int that is read via avio_rb16(), > so it has been removed completely.) > > Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> > --- > libavformat/matroskadec.c | 16 +++++++++------- > 1 file changed, 9 insertions(+), 7 deletions(-) > > diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c > index 8e1326abf6..8c65e98e77 100644 > --- a/libavformat/matroskadec.c > +++ b/libavformat/matroskadec.c > @@ -2606,28 +2606,30 @@ static int matroska_parse_tracks(AVFormatContext *s) > track->audio.sub_packet_h = avio_rb16(&b); > track->audio.frame_size = avio_rb16(&b); > track->audio.sub_packet_size = avio_rb16(&b); > - if (flavor < 0 || > - track->audio.coded_framesize <= 0 || > + if (track->audio.coded_framesize <= 0 || > track->audio.sub_packet_h <= 0 || > track->audio.frame_size <= 0 || > track->audio.sub_packet_size <= 0 && codec_id != AV_CODEC_ID_SIPR) > return AVERROR_INVALIDDATA; > - track->audio.buf = av_malloc_array(track->audio.sub_packet_h, > - track->audio.frame_size); > - if (!track->audio.buf) > - return AVERROR(ENOMEM); > + > if (codec_id == AV_CODEC_ID_RA_288) { > st->codecpar->block_align = track->audio.coded_framesize; > track->codec_priv.size = 0; > } else { > - if (codec_id == AV_CODEC_ID_SIPR && flavor < 4) { > + if (codec_id == AV_CODEC_ID_SIPR) { > static const int sipr_bit_rate[4] = { 6504, 8496, 5000, 16000 }; > + if (flavor > 3) > + return AVERROR_INVALIDDATA; > track->audio.sub_packet_size = ff_sipr_subpk_size[flavor]; > st->codecpar->bit_rate = sipr_bit_rate[flavor]; > } > st->codecpar->block_align = track->audio.sub_packet_size; > extradata_offset = 78; > } > + track->audio.buf = av_malloc_array(track->audio.sub_packet_h, > + track->audio.frame_size); > + if (!track->audio.buf) > + return AVERROR(ENOMEM); > } else if (codec_id == AV_CODEC_ID_FLAC && track->codec_priv.size) { > ret = matroska_parse_flac(s, track, &extradata_offset); > if (ret < 0) > Will apply this patchset tomorrow if no one objects. - Andreas
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 8e1326abf6..8c65e98e77 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2606,28 +2606,30 @@ static int matroska_parse_tracks(AVFormatContext *s) track->audio.sub_packet_h = avio_rb16(&b); track->audio.frame_size = avio_rb16(&b); track->audio.sub_packet_size = avio_rb16(&b); - if (flavor < 0 || - track->audio.coded_framesize <= 0 || + if (track->audio.coded_framesize <= 0 || track->audio.sub_packet_h <= 0 || track->audio.frame_size <= 0 || track->audio.sub_packet_size <= 0 && codec_id != AV_CODEC_ID_SIPR) return AVERROR_INVALIDDATA; - track->audio.buf = av_malloc_array(track->audio.sub_packet_h, - track->audio.frame_size); - if (!track->audio.buf) - return AVERROR(ENOMEM); + if (codec_id == AV_CODEC_ID_RA_288) { st->codecpar->block_align = track->audio.coded_framesize; track->codec_priv.size = 0; } else { - if (codec_id == AV_CODEC_ID_SIPR && flavor < 4) { + if (codec_id == AV_CODEC_ID_SIPR) { static const int sipr_bit_rate[4] = { 6504, 8496, 5000, 16000 }; + if (flavor > 3) + return AVERROR_INVALIDDATA; track->audio.sub_packet_size = ff_sipr_subpk_size[flavor]; st->codecpar->bit_rate = sipr_bit_rate[flavor]; } st->codecpar->block_align = track->audio.sub_packet_size; extradata_offset = 78; } + track->audio.buf = av_malloc_array(track->audio.sub_packet_h, + track->audio.frame_size); + if (!track->audio.buf) + return AVERROR(ENOMEM); } else if (codec_id == AV_CODEC_ID_FLAC && track->codec_priv.size) { ret = matroska_parse_flac(s, track, &extradata_offset); if (ret < 0)
Only flavors 0..3 seem to exist. E.g. rmdec.c treats any flavor > 3 as invalid data. Furthermore, we do not know how big the packets to create ought to be given that for sipr these values are not read from the bitstream, but from a table. Furthermore, flavor is only used for sipr, so only check it for sipr; rmdec.c does the same. (The old check for flavor being < 0 was always wrong given that flavor is an int that is read via avio_rb16(), so it has been removed completely.) Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> --- libavformat/matroskadec.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-)