Hi,
if avctx->channels is 0 in adx_read_packet, size gets set to 0, av_get_packet
sets pkt->data to NULL and then AV_RB16(pkt->data) results in a null pointer
dereference.
Attached patch fixes this.
Best regards,
Andreas
>From 2578976a0a9eec03d168f393795119fd274ee81f Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Wed, 25 Feb 2015 22:55:44 +0100
Subject: [PATCH] avformat/adxdec: check avctx->channels for invalid values
This avoids a null pointer dereference of pkt->data.
Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
libavformat/adxdec.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavformat/adxdec.c b/libavformat/adxdec.c
index ddaa201..24a8a1f 100644
--- a/libavformat/adxdec.c
+++ b/libavformat/adxdec.c
@@ -40,6 +40,11 @@ static int adx_read_packet(AVFormatContext *s, AVPacket *pkt)
AVCodecContext *avctx = s->streams[0]->codec;
int ret, size;
+ if (avctx->channels <= 0) {
+ av_log(s, AV_LOG_ERROR, "invalid number of channels %d\n", avctx->channels);
+ return AVERROR_INVALIDDATA;
+ }
+
size = BLOCK_SIZE * avctx->channels;
pkt->pos = avio_tell(s->pb);
--
2.1.4
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
