diff mbox series

[FFmpeg-devel] avcodec/g729_parser: Check channels

Message ID 20220227135058.15739-1-michael@niedermayer.cc
State Accepted
Commit 757da974b21833529cc41bdcc9684c29660cdfa8
Headers show
Series [FFmpeg-devel] avcodec/g729_parser: Check channels | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_aarch64_jetson success Make finished
andriy/make_fate_aarch64_jetson success Make fate finished
andriy/make_armv7_RPi4 success Make finished
andriy/make_fate_armv7_RPi4 success Make fate finished

Commit Message

Michael Niedermayer Feb. 27, 2022, 1:50 p.m. UTC 
Fixes: signed integer overflow: 10 * 808464428 cannot be represented in type 'int'
Fixes: assertion failure
Fixes: ticket9651

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/g729_parser.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Paul B Mahol Feb. 27, 2022, 2:02 p.m. UTC | #1 
On Sun, Feb 27, 2022 at 2:51 PM Michael Niedermayer <michael@niedermayer.cc>
wrote:

> Fixes: signed integer overflow: 10 * 808464428 cannot be represented in
> type 'int'
> Fixes: assertion failure
> Fixes: ticket9651
>


LGTM

Is it possible for parser get 0 channels as input, so it could
theoretically loop forever?


>
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/g729_parser.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/libavcodec/g729_parser.c b/libavcodec/g729_parser.c
> index 8c06ce4ee6..4dcdeab651 100644
> --- a/libavcodec/g729_parser.c
> +++ b/libavcodec/g729_parser.c
> @@ -48,6 +48,9 @@ static int g729_parse(AVCodecParserContext *s1,
> AVCodecContext *avctx,
>          s->block_size = (avctx->bit_rate < 8000) ? G729D_6K4_BLOCK_SIZE :
> G729_8K_BLOCK_SIZE;
>          if (avctx->codec_id == AV_CODEC_ID_ACELP_KELVIN)
>              s->block_size++;
> +        // channels > 2 is invalid, we pass the packet on unchanged
> +        if (avctx->channels > 2)
> +            s->block_size = 0;
>          s->block_size *= avctx->channels;
>          s->duration   = avctx->frame_size;
>      }
> --
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
Michael Niedermayer March 7, 2022, 11:30 p.m. UTC | #2 
On Sun, Feb 27, 2022 at 03:02:46PM +0100, Paul B Mahol wrote:
> On Sun, Feb 27, 2022 at 2:51 PM Michael Niedermayer <michael@niedermayer.cc>
> wrote:
> 
> > Fixes: signed integer overflow: 10 * 808464428 cannot be represented in
> > type 'int'
> > Fixes: assertion failure
> > Fixes: ticket9651
> >
> 
> 
> LGTM

will apply


> 
> Is it possible for parser get 0 channels as input, so it could
> theoretically loop forever?

there is a check for block_size == 0 a few lines later

thx

[...]
diff mbox series

Patch

diff --git a/libavcodec/g729_parser.c b/libavcodec/g729_parser.c
index 8c06ce4ee6..4dcdeab651 100644
--- a/libavcodec/g729_parser.c
+++ b/libavcodec/g729_parser.c
@@ -48,6 +48,9 @@  static int g729_parse(AVCodecParserContext *s1, AVCodecContext *avctx,
         s->block_size = (avctx->bit_rate < 8000) ? G729D_6K4_BLOCK_SIZE : G729_8K_BLOCK_SIZE;
         if (avctx->codec_id == AV_CODEC_ID_ACELP_KELVIN)
             s->block_size++;
+        // channels > 2 is invalid, we pass the packet on unchanged
+        if (avctx->channels > 2)
+            s->block_size = 0;
         s->block_size *= avctx->channels;
         s->duration   = avctx->frame_size;
     }