[FFmpeg-devel,2/2] wmavoice: prevent division by zero crash

Message ID	56da961b-99da-808b-b283-4579c006728c@googlemail.com
State	New
Headers	show Delivered-To: ffmpegpatchwork@gmail.com Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> To: "Ronald S. Bultje" <rsbultje@gmail.com> References: <b8de4168-3507-c9c0-8ce7-75feec55b47b@googlemail.com> <ca829ea2-386a-ff6e-e93e-66843061a1ae@googlemail.com> <CAEEMt2mFMJ3Cz5SuOMbwbLi7id38UkxC=P9uovM7YfZeeyybng@mail.gmail.com> Message-ID: <56da961b-99da-808b-b283-4579c006728c@googlemail.com> Date: Sun, 1 Jan 2017 23:51:28 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.4.0 MIME-Version: 1.0 In-Reply-To: <CAEEMt2mFMJ3Cz5SuOMbwbLi7id38UkxC=P9uovM7YfZeeyybng@mail.gmail.com> Content-Type: multipart/mixed; boundary="------------CA3985CD378F0DD38E4A14FE" Subject: Re: [FFmpeg-devel] [PATCH 2/2] wmavoice: prevent division by zero crash Precedence: list Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Cc: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Message ID

56da961b-99da-808b-b283-4579c006728c@googlemail.com

State

New

Headers

Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100; 
From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
To: "Ronald S. Bultje" <rsbultje@gmail.com>
References: <b8de4168-3507-c9c0-8ce7-75feec55b47b@googlemail.com>
	<ca829ea2-386a-ff6e-e93e-66843061a1ae@googlemail.com>
	<CAEEMt2mFMJ3Cz5SuOMbwbLi7id38UkxC=P9uovM7YfZeeyybng@mail.gmail.com>
Message-ID: <56da961b-99da-808b-b283-4579c006728c@googlemail.com>
Date: Sun, 1 Jan 2017 23:51:28 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
	Icedove/45.4.0
MIME-Version: 1.0
In-Reply-To: <CAEEMt2mFMJ3Cz5SuOMbwbLi7id38UkxC=P9uovM7YfZeeyybng@mail.gmail.com>
Content-Type: multipart/mixed;
	boundary="------------CA3985CD378F0DD38E4A14FE"
Subject: Re: [FFmpeg-devel] [PATCH 2/2] wmavoice: prevent division by zero
	crash
Precedence: list
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Cc: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Commit Message

Andreas Cadhalpun Jan. 1, 2017, 10:51 p.m. UTC

On 01.01.2017 23:23, Ronald S. Bultje wrote:
> On Sun, Jan 1, 2017 at 5:19 PM, Andreas Cadhalpun <andreas.cadhalpun@googlemail.com <mailto:andreas.cadhalpun@googlemail.com>> wrote:
> 
>     The problem was introduced by commit
>     3deb4b54a24f8cddce463d9f5751b01efeb976af.
> 
>     Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com <mailto:Andreas.Cadhalpun@googlemail.com>>
>     ---
>      libavcodec/wmavoice.c | 2 +-
>      1 file changed, 1 insertion(+), 1 deletion(-)
> 
>     diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
>     index 1bfad46b2e..279b44dc12 100644
>     --- a/libavcodec/wmavoice.c
>     +++ b/libavcodec/wmavoice.c
>     @@ -1908,7 +1908,7 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data,
>          /* size == ctx->block_align is used to indicate whether we are dealing with
>           * a new packet or a packet of which we already read the packet header
>           * previously. */
>     -    if (!(size % ctx->block_align)) { // new packet header
>     +    if (ctx->block_align && !(size % ctx->block_align)) { // new packet header
>              if (!size) {
>                  s->spillover_nbits = 0;
>                  s->nb_superframes = 0;
>     --
>     2.11.0
> 
> 
> nak.
> 
> The init routine should error out if block_align is zero.
> The codec can not operate without block_align set.

Fine for me. Patch doing that is attached.

Best regards,
Andreas

Comments

Ronald S. Bultje Jan. 2, 2017, 3:09 a.m. UTC | #1

Hi,

On Sun, Jan 1, 2017 at 5:51 PM, Andreas Cadhalpun <
andreas.cadhalpun@googlemail.com> wrote:

> On 01.01.2017 23:23, Ronald S. Bultje wrote:
> > On Sun, Jan 1, 2017 at 5:19 PM, Andreas Cadhalpun <
> andreas.cadhalpun@googlemail.com <mailto:andreas.cadhalpun@googlemail.com>>
> wrote:
> >
> >     The problem was introduced by commit
> >     3deb4b54a24f8cddce463d9f5751b01efeb976af.
> >
> >     Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com
> <mailto:Andreas.Cadhalpun@googlemail.com>>
> >     ---
> >      libavcodec/wmavoice.c | 2 +-
> >      1 file changed, 1 insertion(+), 1 deletion(-)
> >
> >     diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
> >     index 1bfad46b2e..279b44dc12 100644
> >     --- a/libavcodec/wmavoice.c
> >     +++ b/libavcodec/wmavoice.c
> >     @@ -1908,7 +1908,7 @@ static int wmavoice_decode_packet(AVCodecContext
> *ctx, void *data,
> >          /* size == ctx->block_align is used to indicate whether we are
> dealing with
> >           * a new packet or a packet of which we already read the packet
> header
> >           * previously. */
> >     -    if (!(size % ctx->block_align)) { // new packet header
> >     +    if (ctx->block_align && !(size % ctx->block_align)) { // new
> packet header
> >              if (!size) {
> >                  s->spillover_nbits = 0;
> >                  s->nb_superframes = 0;
> >     --
> >     2.11.0
> >
> >
> > nak.
> >
> > The init routine should error out if block_align is zero.
> > The codec can not operate without block_align set.
>
> Fine for me. Patch doing that is attached.


LGTM.

Ronald

Andreas Cadhalpun Jan. 3, 2017, 12:01 a.m. UTC | #2

On 02.01.2017 04:09, Ronald S. Bultje wrote:
> On Sun, Jan 1, 2017 at 5:51 PM, Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> wrote:
>     Fine for me. Patch doing that is attached.
> 
> 
> LGTM.

Pushed.

Best regards,
Andreas

From caec0e9f57ddc2373d3e2cb56ed1e6c3ce0df166 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Date: Sun, 1 Jan 2017 22:48:38 +0100
Subject: [PATCH] wmavoice: validate block alignment

This prevents a division by zero crash in wmavoice_decode_packet.

The problem was introduced by commit
3deb4b54a24f8cddce463d9f5751b01efeb976af.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
---
 libavcodec/wmavoice.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
index 1bfad46b2e..080ec86b53 100644
--- a/libavcodec/wmavoice.c
+++ b/libavcodec/wmavoice.c
@@ -388,6 +388,11 @@  static av_cold int wmavoice_decode_init(AVCodecContext *ctx)
                ctx->extradata_size);
         return AVERROR_INVALIDDATA;
     }
+    if (ctx->block_align <= 0) {
+        av_log(ctx, AV_LOG_ERROR, "Invalid block alignment %d.\n", ctx->block_align);
+        return AVERROR_INVALIDDATA;
+    }
+
     flags                = AV_RL32(ctx->extradata + 18);
     s->spillover_bitsize = 3 + av_ceil_log2(ctx->block_align);
     s->do_apf            =    flags & 0x1;
-- 
2.11.0