From patchwork Wed Oct 19 21:46:43 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
X-Patchwork-Id: 1083
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.140.133 with SMTP id o127csp385138vsd;
	Wed, 19 Oct 2016 14:46:55 -0700 (PDT)
X-Received: by 10.194.155.35 with SMTP id vt3mr5447319wjb.223.1476913615597;
	Wed, 19 Oct 2016 14:46:55 -0700 (PDT)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	e10si1032287wji.151.2016.10.19.14.46.54;
	Wed, 19 Oct 2016 14:46:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@googlemail.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=QUARANTINE dis=NONE) header.from=googlemail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D2132689729;
	Thu, 20 Oct 2016 00:46:49 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-lf0-f66.google.com (mail-lf0-f66.google.com
	[209.85.215.66])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id DC04F6891F7
	for <ffmpeg-devel@ffmpeg.org>; Thu, 20 Oct 2016 00:46:42 +0300 (EEST)
Received: by mail-lf0-f66.google.com with SMTP id x79so4216405lff.2
	for <ffmpeg-devel@ffmpeg.org>; Wed, 19 Oct 2016 14:46:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlemail.com; s=20120113;
	h=from:to:subject:message-id:date:user-agent:mime-version
	:content-transfer-encoding;
	bh=OjhB8D/6yB+K/ktIXuiRQODMMoQKA2aiOgJI/YiOd0A=;
	b=yqBoBYGzXwgBb+7P5oFR5/MFXXvJzITUOpWhsCk20q4moyh9G037tbbO/D8dMszikg
	a+IRXI2cWbtrV56x4eYkK5WnThgDbuBdnHOLzIbBWw2l5WaXc3ux5QF0tle1zLTt6I23
	v1sqrKud4PD+0QyOFllLrs8+Latrp70MJqlVSupnOJHTZ4Ec9JL0xqkY2uz+Cq5k7VtP
	34aR3WwpCfTfHEq01aazfaUyy+11xGuVOsy5U+iHwtm1L/ea8FDxN4d4AyCcDSff5I92
	B3inam4X2ohsOZCzNLoq9EtzMIf4fkLrUlejPIbZH/3qBIrcOJIPpeyE9VB1c4uVrOTd
	zsYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:subject:message-id:date:user-agent
	:mime-version:content-transfer-encoding;
	bh=OjhB8D/6yB+K/ktIXuiRQODMMoQKA2aiOgJI/YiOd0A=;
	b=Cu0J87h4kF+u140TpdHiRe6g9UMPiU5qaXKkcxPe5pZvvYamAS5h1lOL+rdFjTQ419
	ryY9oHk7QmlV2a28dvscZVEzu7M+b3o/DRkgw2LUQnyfmvIk8SGGdKwN2SBAcbQUa6Ls
	LhL/zgpRT4Pg6Y9ps0A3CsIkNCmjabU9AaUYggI9L2h3BaSDIiGDyKsNwL3e4wWmpWWk
	qhV4oBYD6/tRkoESrOfq0dyeClCDeDNXGbcWrMjhrQk7mtZD0uClSL6SH19SD22UDrqu
	QWNRCe7fpGg4ZpMRXJ4abNmXllp1jnwhEkahH5kU596h2X/duz8CpaYbzi1IOf0uXgGQ
	K4xg==
X-Gm-Message-State: 
 AA6/9RkR58wNY+ydFO/LBy5Mg43Yu14jAjWatFQJ96P3/LbRlVJCAx4UdLMLZ/EAr+xf1w==
X-Received: by 10.194.201.227 with SMTP id kd3mr6345544wjc.74.1476913605364;
	Wed, 19 Oct 2016 14:46:45 -0700 (PDT)
Received: from [192.168.2.20] (pD9E8EB58.dip0.t-ipconnect.de.
	[217.232.235.88]) by smtp.googlemail.com with ESMTPSA id
	j1sm62121250wjl.21.2016.10.19.14.46.44
	for <ffmpeg-devel@ffmpeg.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 19 Oct 2016 14:46:44 -0700 (PDT)
From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
X-Google-Original-From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <9cbfa03d-62e4-417d-ba3a-8f52b6a16f7e@googlemail.com>
Date: Wed, 19 Oct 2016 23:46:43 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
	Icedove/45.4.0
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH] rsd: limit number of channels
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Negative values don't make sense and too large values can cause
overflows. For AV_CODEC_ID_ADPCM_THP this leads to a too small extradata
buffer being allocated, causing out-of-bounds writes.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
---
 libavformat/rsd.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavformat/rsd.c b/libavformat/rsd.c
index ee6fdfb..5a56e72 100644
--- a/libavformat/rsd.c
+++ b/libavformat/rsd.c
@@ -84,8 +84,10 @@ static int rsd_read_header(AVFormatContext *s)
     }
 
     par->channels = avio_rl32(pb);
-    if (!par->channels)
+    if (par->channels <= 0 || par->channels > INT_MAX / 36) {
+        av_log(s, AV_LOG_ERROR, "Invalid number of channels: %d\n", par->channels);
         return AVERROR_INVALIDDATA;
+    }
 
     avio_skip(pb, 4); // Bit depth
     par->sample_rate = avio_rl32(pb);