On 15.06.2015 21:40, Hendrik Leppkes wrote:
> On Mon, Jun 15, 2015 at 9:17 PM, Andreas Cadhalpun
> <andreas.cadhal...@googlemail.com> wrote:
>> The values are written with avio_wl16 and if they don't fit into
>> uint16_t, this triggers an av_assert2 in avio_w8.
>>
>> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
>> ---
>> libavformat/matroskadec.c | 8 ++++++++
>> 1 file changed, 8 insertions(+)
>>
>> diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
>> index 81dd53f..7af03c9 100644
>> --- a/libavformat/matroskadec.c
>> +++ b/libavformat/matroskadec.c
>> @@ -1889,6 +1889,14 @@ static int matroska_parse_tracks(AVFormatContext *s)
>> NULL, NULL, NULL, NULL);
>> avio_write(&b, "TTA1", 4);
>> avio_wl16(&b, 1);
>> + if (track->audio.channels > UINT16_MAX ||
>> + track->audio.bitdepth > UINT16_MAX) {
>> + av_log(matroska->ctx, AV_LOG_ERROR,
>> + "Too large audio channel number %"PRIu64
>> + " or bitdepth %"PRIu64".\n",
>> + track->audio.channels, track->audio.bitdepth);
>> + return AVERROR_INVALIDDATA;
>> + }
>> avio_wl16(&b, track->audio.channels);
>> avio_wl16(&b, track->audio.bitdepth);
>> if (track->audio.out_samplerate < 0 ||
>> track->audio.out_samplerate > INT_MAX)
>> --
>
> The commit message could clarify that this is in the TTA extradata
> re-construction, because I was briefly confused why a demuxer would
> "write" the sample rate.
OK.
> Additionally, I would vote for using continue and just leaving this
> track broken, instead of erroring out of reading entirely and making
> reading the entire file impossible.
I guess you're also fine with an explode mode.
Updated patch attached.
Best regards,
Andreas
>From 903de886ae73469831f3416d5fc57c2a6ab97708 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Mon, 15 Jun 2015 21:06:51 +0200
Subject: [PATCH 2/2] matroskadec: validate audio channels and bitdepth
In the TTA extradata re-construction the values are written with
avio_wl16 and if they don't fit into uint16_t, this triggers an
av_assert2 in avio_w8.
Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
libavformat/matroskadec.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 81dd53f..07f4539 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1889,6 +1889,18 @@ static int matroska_parse_tracks(AVFormatContext *s)
NULL, NULL, NULL, NULL);
avio_write(&b, "TTA1", 4);
avio_wl16(&b, 1);
+ if (track->audio.channels > UINT16_MAX ||
+ track->audio.bitdepth > UINT16_MAX) {
+ av_log(matroska->ctx, AV_LOG_WARNING,
+ "Too large audio channel number %"PRIu64
+ " or bitdepth %"PRIu64". Skipping track.\n",
+ track->audio.channels, track->audio.bitdepth);
+ av_freep(&extradata);
+ if (matroska->ctx->error_recognition & AV_EF_EXPLODE)
+ return AVERROR_INVALIDDATA;
+ else
+ continue;
+ }
avio_wl16(&b, track->audio.channels);
avio_wl16(&b, track->audio.bitdepth);
if (track->audio.out_samplerate < 0 || track->audio.out_samplerate > INT_MAX)
--
2.1.4
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
