From: liushuyu <liush...@aosc.io> In certain mca files, the coefficient table is in the data section instead of the header section. In this case, the coefficient offset relative to the header ending marker is a negative value thus failing the original condition check at line 146.
The new check just check if the coefficient offset is within the file range (since there is no way to know where the actual audio samples are without the correct header information). --- libavformat/mca.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavformat/mca.c b/libavformat/mca.c index 27cfb1c..5bb9a35 100644 --- a/libavformat/mca.c +++ b/libavformat/mca.c @@ -48,9 +48,9 @@ static int read_header(AVFormatContext *s) int64_t file_size = avio_size(s->pb); uint16_t version = 0; uint32_t header_size, data_size, data_offset, loop_start, loop_end, - nb_samples, nb_metadata, coef_offset = 0; + nb_samples, nb_metadata = 0; int ch, ret; - int64_t ret_size; + int64_t ret_size, coef_offset = 0; st = avformat_new_stream(s, NULL); if (!st) @@ -144,10 +144,10 @@ static int read_header(AVFormatContext *s) } // coefficient alignment = 0x30; metadata size = 0x14 - if (0x30 * par->channels + nb_metadata * 0x14 > header_size) - return AVERROR_INVALIDDATA; coef_offset = - header_size - 0x30 * par->channels + nb_metadata * 0x14; + (int64_t)header_size - 0x30 * par->channels + nb_metadata * 0x14; + if (coef_offset < 0 || coef_offset >= file_size) + return AVERROR_INVALIDDATA; st->start_time = 0; par->codec_id = AV_CODEC_ID_ADPCM_THP_LE; -- 2.28.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".