From patchwork Thu Jan 26 01:14:09 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Cadhalpun X-Patchwork-Id: 2322 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.89.21 with SMTP id n21csp2471663vsb; Wed, 25 Jan 2017 17:14:14 -0800 (PST) X-Received: by 10.223.147.130 with SMTP id 2mr166536wrp.53.1485393254404; Wed, 25 Jan 2017 17:14:14 -0800 (PST) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id u70si977835wmf.106.2017.01.25.17.14.13; Wed, 25 Jan 2017 17:14:14 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@googlemail.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 61FAA68A6F9; Thu, 26 Jan 2017 03:14:11 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm0-f68.google.com (mail-wm0-f68.google.com [74.125.82.68]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B97CD689E04 for ; Thu, 26 Jan 2017 03:14:10 +0200 (EET) Received: by mail-wm0-f68.google.com with SMTP id r144so46682133wme.0 for ; Wed, 25 Jan 2017 17:14:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=from:subject:to:references:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=Vbx+kLQls59eha7oZfO4Xx9hmzPKCZmI15eKZnzgWt4=; b=bTjjArfs7SgIplpuLkkSdGEGPtUPMA0DTw7E0N54YdDuq5H1wfGrDWJ5Ak7Wdin6aI raUgmXgMrz+78KUsDTxUylH6zUSgrE4HvjSgBQF7GJS5JHAN1X17qcP+R0spVSn7CuT9 svbTuQEUbqVzsbw0uQmYRJq9mq7AhJ8A3Nor6UuUXddgBKYIpDnCDvBD9Or/njz4j+/S 8p6IN88VZ+Ovx5H1ly1EJv4rgjSRto37n+bM/U7sWWSgcGMG2ZkjcM7Tt6ad3Za7F+rn ekBSuYz1AgDVmfDPeLJi63m3DbnKdRhzOMBqAn4OAfDYF0jnf+AEzdlqNTAQjk/w5DKb rHDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:references:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=Vbx+kLQls59eha7oZfO4Xx9hmzPKCZmI15eKZnzgWt4=; b=ZzjsUy5UIEOMXRLeHX/3Cr9v2s++RvYyCs2uXEfRYSBfBsAHpuvuJ4BYPet+pYOIq2 gTyYeJNslaNldS7fZ5NdPCjmv4an2a6rALJOlq7ouwuA21j04MA8z52E/C61dh0u6Mkq VwK0df2xJ2nNdeuYrBR+3LidFWzCFQNpcIBbX6Jw9IQzlyVJ9GUehelUrTJGiOFpLuSR oMJTYMR215D3Gr5jK01azKZOEzEnYJSe8LdA+Q4zGVl9Hc1P9WyEmSeDLqwOj0ooI8fr H6wiptCWBq+HKT3HLKt1d4N2OKb1LtbRGOSerUIrD/dYrwQ43SR6LyuFbF7aJ2mPHS8v 50Rg== X-Gm-Message-State: AIkVDXLVDVMbtPaxk4Fd9cboUq1XGzslHQEpfh3HDz4IP8MNnbwIfZoIxklyMVFh2YTVBQ== X-Received: by 10.28.148.76 with SMTP id w73mr25412520wmd.74.1485393250777; Wed, 25 Jan 2017 17:14:10 -0800 (PST) Received: from [192.168.2.21] (p5B0954C8.dip0.t-ipconnect.de. [91.9.84.200]) by smtp.googlemail.com with ESMTPSA id m84sm1076817wmf.10.2017.01.25.17.14.10 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Jan 2017 17:14:10 -0800 (PST) From: Andreas Cadhalpun X-Google-Original-From: Andreas Cadhalpun To: FFmpeg development discussions and patches References: Message-ID: <8842f859-7257-dabd-bc86-14aba952e547@googlemail.com> Date: Thu, 26 Jan 2017 02:14:09 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0 MIME-Version: 1.0 In-Reply-To: Subject: [FFmpeg-devel] [PATCH 9/9] boadec: prevent overflow during block alignment calculation X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Signed-off-by: Andreas Cadhalpun --- libavformat/boadec.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/libavformat/boadec.c b/libavformat/boadec.c index ac2a33b3f0..6055effcad 100644 --- a/libavformat/boadec.c +++ b/libavformat/boadec.c @@ -20,6 +20,7 @@ */ #include "libavutil/intreadwrite.h" +#include "libavcodec/internal.h" #include "avformat.h" #include "internal.h" @@ -53,9 +54,20 @@ static int read_header(AVFormatContext *s) avio_rl32(s->pb); st->codecpar->sample_rate = avio_rl32(s->pb); st->codecpar->channels = avio_rl32(s->pb); + if (st->codecpar->channels > FF_SANE_NB_CHANNELS) { + av_log(s, AV_LOG_ERROR, "Too many channels %d > %d\n", + st->codecpar->channels, FF_SANE_NB_CHANNELS); + return AVERROR(ENOSYS); + } s->internal->data_offset = avio_rl32(s->pb); avio_r8(s->pb); - st->codecpar->block_align = st->codecpar->channels * avio_rl32(s->pb); + st->codecpar->block_align = avio_rl32(s->pb); + if (st->codecpar->block_align > INT_MAX / FF_SANE_NB_CHANNELS) { + av_log(s, AV_LOG_ERROR, "Too large block alignment %d > %d\n", + st->codecpar->block_align, INT_MAX / FF_SANE_NB_CHANNELS); + return AVERROR_INVALIDDATA; + } + st->codecpar->block_align *= st->codecpar->channels; avio_seek(s->pb, s->internal->data_offset, SEEK_SET);