ffmpeg | branch: release/2.5 | Andreas Cadhalpun <andreas.cadhal...@googlemail.com> | Mon Jun 15 21:06:51 2015 +0200| [5464da89056698856d919585256bb422558eb554] | committer: Michael Niedermayer
matroskadec: validate audio channels and bitdepth In the TTA extradata re-construction the values are written with avio_wl16 and if they don't fit into uint16_t, this triggers an av_assert2 in avio_w8. Reviewed-by: Michael Niedermayer <michae...@gmx.at> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> (cherry picked from commit 92e79a2f7bf2f8bb0cb2d1a3e4d76737557071c4) Signed-off-by: Michael Niedermayer <michae...@gmx.at> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5464da89056698856d919585256bb422558eb554 --- libavformat/matroskadec.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 0bfa9dc..0654b31 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1799,6 +1799,18 @@ static int matroska_parse_tracks(AVFormatContext *s) NULL, NULL, NULL, NULL); avio_write(&b, "TTA1", 4); avio_wl16(&b, 1); + if (track->audio.channels > UINT16_MAX || + track->audio.bitdepth > UINT16_MAX) { + av_log(matroska->ctx, AV_LOG_WARNING, + "Too large audio channel number %"PRIu64 + " or bitdepth %"PRIu64". Skipping track.\n", + track->audio.channels, track->audio.bitdepth); + av_freep(&extradata); + if (matroska->ctx->error_recognition & AV_EF_EXPLODE) + return AVERROR_INVALIDDATA; + else + continue; + } avio_wl16(&b, track->audio.channels); avio_wl16(&b, track->audio.bitdepth); if (track->audio.out_samplerate < 0 || track->audio.out_samplerate > INT_MAX) _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog