On Wed, Feb 25, 2015 at 11:48:33PM +0100, Andreas Cadhalpun wrote: > Hi, > > if avctx->channels is 0 in adx_read_packet, size gets set to 0, > av_get_packet sets pkt->data to NULL and then AV_RB16(pkt->data) > results in a null pointer dereference. > > Attached patch fixes this. > > Best regards, > Andreas
> adxdec.c | 5 +++++
> 1 file changed, 5 insertions(+)
> 7312e6a3be1771c83eac72784496c6fc4692d954
> 0001-avformat-adxdec-check-avctx-channels-for-invalid-val.patch
> From 2578976a0a9eec03d168f393795119fd274ee81f Mon Sep 17 00:00:00 2001
> From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
> Date: Wed, 25 Feb 2015 22:55:44 +0100
> Subject: [PATCH] avformat/adxdec: check avctx->channels for invalid values
>
> This avoids a null pointer dereference of pkt->data.
>
> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
> ---
> libavformat/adxdec.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/libavformat/adxdec.c b/libavformat/adxdec.c
> index ddaa201..24a8a1f 100644
> --- a/libavformat/adxdec.c
> +++ b/libavformat/adxdec.c
> @@ -40,6 +40,11 @@ static int adx_read_packet(AVFormatContext *s, AVPacket
> *pkt)
> AVCodecContext *avctx = s->streams[0]->codec;
> int ret, size;
>
> + if (avctx->channels <= 0) {
> + av_log(s, AV_LOG_ERROR, "invalid number of channels %d\n",
> avctx->channels);
> + return AVERROR_INVALIDDATA;
> + }
the demuxer should extract the channel value in adx_read_header()
and check it there. (if it needs the channels, which it does currently)
its not good for demuxing to depend on a decoder/parser setting this
value between reading the file header and before demuxing the first
packet
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
I know you won't believe me, but the highest form of Human Excellence is
to question oneself and others. -- Socrates
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
