| Message ID | 20240430004854.199741-1-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | c26a762ea1bf028a33554a5f7a18d8dd7d82f5a8 |
| Headers | show |
| Series | [FFmpeg-devel,1/3] avformat/kvag: Check sample_rate | expand |
On Tue, Apr 30, 2024 at 02:48:52AM +0200, Michael Niedermayer wrote: > Fixes: Division by 0 > Fixes: -copyts -start_at_zero -itsoffset 00:00:01 -itsscale 1 -ss 00:00:02 -i zgclab/ffmpeg_crash/poc1 output.mp4 > > Found-by: Wang Dawei and Zhou Geng, from Zhongguancun Laboratory > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/kvag.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) I will apply this one sample rate is signed everywhere so accepting things outside the signed int range is not going to work [...]
diff --git a/libavformat/kvag.c b/libavformat/kvag.c index 1d0aee09942..b55aa893ec2 100644 --- a/libavformat/kvag.c +++ b/libavformat/kvag.c @@ -38,7 +38,7 @@ typedef struct KVAGHeader { uint32_t magic; uint32_t data_size; - uint32_t sample_rate; + int sample_rate; uint16_t stereo; } KVAGHeader; @@ -70,6 +70,9 @@ static int kvag_read_header(AVFormatContext *s) hdr.sample_rate = AV_RL32(buf + 8); hdr.stereo = AV_RL16(buf + 12); + if (hdr.sample_rate <= 0) + return AVERROR_INVALIDDATA; + par = st->codecpar; par->codec_type = AVMEDIA_TYPE_AUDIO; par->codec_id = AV_CODEC_ID_ADPCM_IMA_SSI;
Fixes: Division by 0 Fixes: -copyts -start_at_zero -itsoffset 00:00:01 -itsscale 1 -ss 00:00:02 -i zgclab/ffmpeg_crash/poc1 output.mp4 Found-by: Wang Dawei and Zhou Geng, from Zhongguancun Laboratory Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/kvag.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)