Re: [FFmpeg-devel] [PATCH] dcstr: fix division by zero

Thu, 20 Oct 2016 11:19:29 -0700 

On 20.10.2016 02:59, Michael Niedermayer wrote:
> On Wed, Oct 19, 2016 at 10:41:22PM +0200, Andreas Cadhalpun wrote:
>> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
>> ---
>>  libavformat/dcstr.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/libavformat/dcstr.c b/libavformat/dcstr.c
>> index 69fae41..d5d2281 100644
>> --- a/libavformat/dcstr.c
>> +++ b/libavformat/dcstr.c
>> @@ -47,7 +47,7 @@ static int dcstr_read_header(AVFormatContext *s)
>>      avio_skip(s->pb, 4);
>>      st->duration           = avio_rl32(s->pb);
> 
>>      st->codecpar->channels   *= avio_rl32(s->pb);
> 
> This here can overflow and needs a check

Yes.

> 
>> -    if (!align || align > INT_MAX / st->codecpar->channels)
>> +    if (!align || !st->codecpar->channels || align > INT_MAX / 
>> st->codecpar->channels)
>>          return AVERROR_INVALIDDATA;
> 
> might need a <0 check too should be ok otherwise

OK. New patch attached.

Best regards,
Andreas


>From 656f4ea3f664417197a622dcf80284e890caa849 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Thu, 20 Oct 2016 20:13:54 +0200
Subject: [PATCH] dcstr: fix division by zero

Also check for possible overflows.

Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
 libavformat/dcstr.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavformat/dcstr.c b/libavformat/dcstr.c
index 69fae41..6035dd4 100644
--- a/libavformat/dcstr.c
+++ b/libavformat/dcstr.c
@@ -33,6 +33,7 @@ static int dcstr_probe(AVProbeData *p)
 static int dcstr_read_header(AVFormatContext *s)
 {
     unsigned codec, align;
+    int mult;
     AVStream *st;
 
     st = avformat_new_stream(s, NULL);
@@ -46,7 +47,12 @@ static int dcstr_read_header(AVFormatContext *s)
     align                  = avio_rl32(s->pb);
     avio_skip(s->pb, 4);
     st->duration           = avio_rl32(s->pb);
-    st->codecpar->channels   *= avio_rl32(s->pb);
+    mult                   = avio_rl32(s->pb);
+    if (st->codecpar->channels <= 0 || mult <= 0 || mult > INT_MAX / st->codecpar->channels) {
+        av_log(s, AV_LOG_ERROR, "invalid number of channels %d x %d\n", st->codecpar->channels, mult);
+        return AVERROR_INVALIDDATA;
+    }
+    st->codecpar->channels *= mult;
     if (!align || align > INT_MAX / st->codecpar->channels)
         return AVERROR_INVALIDDATA;
     st->codecpar->block_align = align * st->codecpar->channels;
-- 
2.9.3


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Reply via email to