ffmpeg | branch: release/3.0 | Michael Niedermayer <[email protected]> | Sat Dec 3 03:40:55 2016 +0100| [e9003828dd7ea167133266e3c6bd7a8f3ed200fb] | committer: Michael Niedermayer
avformat/oggparsespeex: Check frames_per_packet and packet_size The speex specification does not seem to restrict these values, thus the limits where choosen so as to avoid multiplicative overflow Fixes undefined behavior Fixes: 635422.ogg Found-by: Matt Wolenetz <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit afcf15b0dbb4b6429be5083e50b296cdca61875e) Signed-off-by: Michael Niedermayer <[email protected]> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e9003828dd7ea167133266e3c6bd7a8f3ed200fb --- libavformat/oggparsespeex.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/oggparsespeex.c b/libavformat/oggparsespeex.c index c86b127..3440a50 100644 --- a/libavformat/oggparsespeex.c +++ b/libavformat/oggparsespeex.c @@ -76,6 +76,13 @@ static int speex_header(AVFormatContext *s, int idx) { spxp->packet_size = AV_RL32(p + 56); frames_per_packet = AV_RL32(p + 64); + if (spxp->packet_size < 0 || + frames_per_packet < 0 || + spxp->packet_size * (int64_t)frames_per_packet > INT32_MAX / 256) { + av_log(s, AV_LOG_ERROR, "invalid packet_size, frames_per_packet %d %d\n", spxp->packet_size, frames_per_packet); + spxp->packet_size = 0; + return AVERROR_INVALIDDATA; + } if (frames_per_packet) spxp->packet_size *= frames_per_packet; _______________________________________________ ffmpeg-cvslog mailing list [email protected] http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
