From patchwork Thu Jan 26 01:12:45 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
X-Patchwork-Id: 2316
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.89.21 with SMTP id n21csp2471284vsb;
	Wed, 25 Jan 2017 17:12:59 -0800 (PST)
X-Received: by 10.28.5.70 with SMTP id 67mr24113327wmf.32.1485393178960;
	Wed, 25 Jan 2017 17:12:58 -0800 (PST)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	l34si29007155wrl.66.2017.01.25.17.12.55;
	Wed, 25 Jan 2017 17:12:58 -0800 (PST)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@googlemail.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE)
	header.from=googlemail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4377468A6BC;
	Thu, 26 Jan 2017 03:12:53 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-wm0-f67.google.com (mail-wm0-f67.google.com
	[74.125.82.67])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 37E37689E04
	for <ffmpeg-devel@ffmpeg.org>; Thu, 26 Jan 2017 03:12:47 +0200 (EET)
Received: by mail-wm0-f67.google.com with SMTP id c85so46512470wmi.1
	for <ffmpeg-devel@ffmpeg.org>; Wed, 25 Jan 2017 17:12:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlemail.com; s=20161025;
	h=from:subject:to:references:message-id:date:user-agent:mime-version
	:in-reply-to:content-transfer-encoding;
	bh=HG6OPw3SBGMmvGGHH5ApQ6prdvt85wyjFtpuwy3w7gA=;
	b=Te5sd7AJdsqI7HM2JICtHqfmz6xcTR8DCo7Efvf8Z6M7+qyX/Ikyub2H2zxxO2PAEt
	wbd4Xii9TdXdiauYgDAWAekjnEfSzr3ZgrvMqDzAahaNNBCznBC3K9UiCaG7BsP3qvKN
	cQifDIJdfI3Ejf+e+MK7q4DE57haZsuilFZ5K+/VkgS8MuNwCF7v2xlZZL2XSO2f019S
	/nHaoV6TE07v6p57heZtIxPOfxzA/j7KXkO6PZinziUCtPXrnNP0W2OFVZwe3AbhOFxS
	XuIPOWQL48bsFuvhnfcOYkajjW8R00B/+q8pVwRTUztZXd01eZnJn369npg8QLtAaO+o
	Te8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:subject:to:references:message-id:date
	:user-agent:mime-version:in-reply-to:content-transfer-encoding;
	bh=HG6OPw3SBGMmvGGHH5ApQ6prdvt85wyjFtpuwy3w7gA=;
	b=BOafmesS3J6HripmTJwmtwH5d5qo6n2w4+serxhnLAvz+F0fbaWMjzSR1jTF2TZl7A
	J8/T+blsBxs9WnKi0oxcBfOn6sSkj8xNBzQQUsql7nwG4IHV6yfip7pqNhqlaKUmoan4
	dM0iOZzF3l7C4u1RzUz4N1k1lJWuvU9c0ooH0efYxVxYjq+hovBkg/HHewl+cLLZ4RKk
	wnO67vP9Q57omKJX0EXAINppoXYYj2sgPVUgKp1UR/8t6VcfoIFElByZwgKsl6jTq05c
	8DL4si+ugClT8MOEbPVi8PwGDNvq0NPqGLCWzwd347FzLSuSZbzI+QX+6Jti/QsVHyOV
	rfzg==
X-Gm-Message-State: 
 AIkVDXKkbfJJq3IidteP/u9ykn8iCgl1cwDDY68PecFHtyqOsukHcNGnvvTP7UKrNLkw1g==
X-Received: by 10.223.152.18 with SMTP id v18mr179655wrb.78.1485393167141;
	Wed, 25 Jan 2017 17:12:47 -0800 (PST)
Received: from [192.168.2.21] (p5B0954C8.dip0.t-ipconnect.de. [91.9.84.200])
	by smtp.googlemail.com with ESMTPSA id
	c9sm1065349wmi.16.2017.01.25.17.12.46 for <ffmpeg-devel@ffmpeg.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 25 Jan 2017 17:12:46 -0800 (PST)
From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
X-Google-Original-From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
References: <fb8e35f8-5cb3-1cc0-b1b8-aad92a0674ce@googlemail.com>
Message-ID: <d295ffde-47d7-4cb2-4732-625336fa43da@googlemail.com>
Date: Thu, 26 Jan 2017 02:12:45 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
	Thunderbird/45.6.0
MIME-Version: 1.0
In-Reply-To: <fb8e35f8-5cb3-1cc0-b1b8-aad92a0674ce@googlemail.com>
Subject: [FFmpeg-devel] [PATCH 5/9] nistspheredec: prevent overflow during
	block alignment calculation
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
---
 libavformat/nistspheredec.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/libavformat/nistspheredec.c b/libavformat/nistspheredec.c
index 782d1dfbfb..3386497682 100644
--- a/libavformat/nistspheredec.c
+++ b/libavformat/nistspheredec.c
@@ -21,6 +21,7 @@
 
 #include "libavutil/avstring.h"
 #include "libavutil/intreadwrite.h"
+#include "libavcodec/internal.h"
 #include "avformat.h"
 #include "internal.h"
 #include "pcm.h"
@@ -90,6 +91,11 @@ static int nist_read_header(AVFormatContext *s)
             return 0;
         } else if (!memcmp(buffer, "channel_count", 13)) {
             sscanf(buffer, "%*s %*s %"SCNd32, &st->codecpar->channels);
+            if (st->codecpar->channels > FF_SANE_NB_CHANNELS) {
+                av_log(s, AV_LOG_ERROR, "Too many channels %d > %d\n",
+                       st->codecpar->channels, FF_SANE_NB_CHANNELS);
+                return AVERROR(ENOSYS);
+            }
         } else if (!memcmp(buffer, "sample_byte_format", 18)) {
             sscanf(buffer, "%*s %*s %31s", format);
 
@@ -109,6 +115,11 @@ static int nist_read_header(AVFormatContext *s)
             sscanf(buffer, "%*s %*s %"SCNd64, &st->duration);
         } else if (!memcmp(buffer, "sample_n_bytes", 14)) {
             sscanf(buffer, "%*s %*s %"SCNd32, &bps);
+            if (bps > (INT_MAX / FF_SANE_NB_CHANNELS) >> 3) {
+                av_log(s, AV_LOG_ERROR, "Too many bytes per sample %d > %d\n",
+                       bps, (INT_MAX / FF_SANE_NB_CHANNELS) >> 3);
+                return AVERROR_INVALIDDATA;
+            }
         } else if (!memcmp(buffer, "sample_rate", 11)) {
             sscanf(buffer, "%*s %*s %"SCNd32, &st->codecpar->sample_rate);
         } else if (!memcmp(buffer, "sample_sig_bits", 15)) {