From patchwork Thu Apr  4 16:29:35 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Almer <jamrial@gmail.com>
X-Patchwork-Id: 47799
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:24a8:b0:1a3:b6bb:3029 with SMTP id m40csp436795pzd;
        Thu, 4 Apr 2024 09:29:48 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCWgH2W7JpRvXM+lUpDph2gijuEclHt4g8TJzu96s2n7PZJORjDLnX4FKfSRyzxIY1QQ/bpOaSTquOOFZ2dIMNTN7tXHPU/aTHO5PQ==
X-Google-Smtp-Source: 
 AGHT+IF/eeSPGlGIGD1VQVmrUBlNpE6KJ2FF7EIPfY0HYUxLwlTsfOx+18Ub85+cfQC4uMQ0cg61
X-Received: by 2002:a17:907:2982:b0:a51:93bb:89c9 with SMTP id
 eu2-20020a170907298200b00a5193bb89c9mr721313ejc.6.1712248188243;
        Thu, 04 Apr 2024 09:29:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1712248188; cv=none;
        d=google.com; s=arc-20160816;
        b=Jep+2pm+lw2Adn3o2QPNd7SD3kc5ij1h3Y74pOHgIyOSKy10sGuVAY2gc8IJJpwoSe
         Tkr8Q1WwuVpfdVtC54yxxHnDkyO40DLvjxPP3CeA8ERBY7JD2O2Cgz94ruYCmaBY/8w0
         U5aCaY0sbcBrEiuZ5F+PuY6LlVUV3yyuGASLv6Ga3Bb49AxlFZgRkn8nGN1muHRJl+WV
         K85VrluoPqQhpP553l4rf5JKMOO/+U10Hkv1sJoU6y6SGxrUNv6K/iMtITLeZie7+pMz
         dLnbj8sIM0lz7R9h5C0j8AXIM01AHRjDknugJOHY6q823F2oEMkXdINO3WSJlLbtZ24K
         FwSg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe
         :list-help:list-post:list-archive:list-unsubscribe:list-id
         :precedence:subject:mime-version:message-id:date:to:from
         :dkim-signature:delivered-to;
        bh=rXmDHNbDkmStwAF4TCmKBA+5mn6LRp/jqb95+s2Osf8=;
        fh=YOA8vD9MJZuwZ71F/05pj6KdCjf6jQRmzLS+CATXUQk=;
        b=kKSUAv8XXXSoyE5/FPlakhW6Rixe4jWANpqxGtBGKrFbT0NXiJLeMdSyMKDB1BiSu/
         GCdcRwXQaXnbJMwgivOhpA2iKi+ItFs+W9zadvU243CWaa1NZJsGmcOSyNiGocfyJevN
         RA4sZ0O1F5TTrGU8bf+tcYgLX2c82/zcd/loT4fd87YJlPVMOKKmzxGMjlBBDWs4kHvI
         /abBr5XzT7hKzntXGo8PB1EeNsq8qfDBpaEtUCQKNYZplN2YDKMpj1cRAl93YaYkIfPT
         kAxm2T4RcLE4vATpXlE+/Z3at6UrYwNjXicSxNnLp2y6aN2RgwMzIGoptcnGj2ZAMIRC
         gLQg==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20230601 header.b=GwqQiKuI;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 kq16-20020a170906abd000b00a5194684318si351832ejb.918.2024.04.04.09.29.47;
        Thu, 04 Apr 2024 09:29:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20230601 header.b=GwqQiKuI;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C849F68D0DD;
	Thu,  4 Apr 2024 19:29:44 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com
 [209.85.216.45])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C9F0868C917
 for <ffmpeg-devel@ffmpeg.org>; Thu,  4 Apr 2024 19:29:37 +0300 (EEST)
Received: by mail-pj1-f45.google.com with SMTP id
 98e67ed59e1d1-29b7164eef6so914752a91.2
 for <ffmpeg-devel@ffmpeg.org>; Thu, 04 Apr 2024 09:29:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1712248175; x=1712852975; darn=ffmpeg.org;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:from:to:cc:subject:date:message-id:reply-to;
 bh=+C1jnI30PqGqCDsyznPat++Ox75/+dFuhpWQHBUxCAc=;
 b=GwqQiKuIcWXJ8PSCohWQaVkZ3boZzsZgza60NKQa5H5VSS1/2Xx2sWOoBUTtVUoKMa
 zOjwZgdMxF8WSE2XFQfDqWG3NXhJhK12J77w40RRR5tyzGEyP7y6P+Nm2rhTKEh1Y/RO
 bBvNroYVqC/NO47PGdkJ9iIEYQJpp955l0DaWjnCKphfnd8HkejTMJcad380ccB73rcl
 wjgDJ708cXsIhBn/jH2mYRSSbOOoSw4DGZhjU3TO5ZdNiQmVYrB5qWVO4kxwVfLyi28y
 RBqsjIHsvRaj8acW5M9rr7DjKXITD8mBof1+csMhzOv4XKvX5NRCaC1om0YyZdRHtFjd
 KkqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1712248175; x=1712852975;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=+C1jnI30PqGqCDsyznPat++Ox75/+dFuhpWQHBUxCAc=;
 b=Wuk+UsdIHJYQm05Oi8GOrAotq/IMJfNtjB5Vvs5ZCS7fJLRIafKIQd+SUTW/4thpEW
 SRnlreKW2K735QmODLRqYnSBUd62xdWoVAMKUO5pkuhTD8jMRwvRhTN9BkDLtw6YhFSI
 yjiP5VmGLAIkU/VFeJdxhFEfPhJbgN5HiEJXekEVyG+I1JqXVVo+pHKSLeF7W2t/RdZM
 o/GFE8+QK7yM2K/aNEHIW6tWcGN/7S2DFo0OIONKhg9gKpmShFZhbUCdNXPH5zUjZJZr
 cSW9pEc9yl1JdJjefxdN6gsuloQn1+mlLIPaVW2uniNANB3dE0PfdZW1a+5HGCWmWZS0
 GylA==
X-Gm-Message-State: AOJu0YweWJlbaNncjRWt2Vk1vj+dohjLiCuPHw/1Cwra4oCjjYljbGwW
 rxJhf7F/LSKssXoWEjW75EjbN4QKaetaPxxhwAU07Vb/Nk0akKZ9F67YgnW4
X-Received: by 2002:a17:90b:4b4d:b0:2a2:53a5:7559 with SMTP id
 mi13-20020a17090b4b4d00b002a253a57559mr3127392pjb.38.1712248175088;
 Thu, 04 Apr 2024 09:29:35 -0700 (PDT)
Received: from localhost.localdomain ([190.194.167.233])
 by smtp.gmail.com with ESMTPSA id
 jx15-20020a17090b46cf00b002a2546fd6eesm1741104pjb.6.2024.04.04.09.29.33
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 04 Apr 2024 09:29:34 -0700 (PDT)
From: James Almer <jamrial@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Thu,  4 Apr 2024 13:29:35 -0300
Message-ID: <20240404162936.4581-1-jamrial@gmail.com>
X-Mailer: git-send-email 2.44.0
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 1/2] avcodec/liblc3dec: sanitize channel
 count in avctx
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: 9ZdslUz2rRr7

Should prevent out of array accesses.

Signed-off-by: James Almer <jamrial@gmail.com>
---
 libavcodec/liblc3dec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/liblc3dec.c b/libavcodec/liblc3dec.c
index c0a31bc91f..52364859d4 100644
--- a/libavcodec/liblc3dec.c
+++ b/libavcodec/liblc3dec.c
@@ -46,6 +46,8 @@ static av_cold int liblc3_decode_init(AVCodecContext *avctx)
 
     if (avctx->extradata_size < 10)
         return AVERROR_INVALIDDATA;
+    if (channels < 0 || channels > DECODER_MAX_CHANNELS)
+        return AVERROR_INVALIDDATA;
 
     liblc3->frame_us = AV_RL16(avctx->extradata + 0) * 10;
     liblc3->srate_hz = avctx->sample_rate;