[libav-devel] [PATCH 17/18] xmv: Add more sanity checks for parameters read from the bitstream

Martin Storsjö Mon, 16 Sep 2013 12:07:23 -0700

Since the number of channels is multiplied by 36 and assigned to
to a uint16_t, make sure this calculation didn't overflow. (In
certain cases the calculation could overflow leaving the
truncated block_align at 0, leading to divisions by zero later.)


Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-sta...@libav.org
---
 libavformat/xmv.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/xmv.c b/libavformat/xmv.c
index bc7c3c9..dd8a02d 100644
--- a/libavformat/xmv.c
+++ b/libavformat/xmv.c
@@ -224,7 +224,8 @@ static int xmv_read_header(AVFormatContext *s)
             av_log(s, AV_LOG_WARNING, "Unsupported 5.1 ADPCM audio stream "
                                       "(0x%04X)\n", track->flags);
 
-        if (!track->channels || !track->sample_rate) {
+        if (!track->channels || !track->sample_rate ||
+             track->channels >= UINT16_MAX/36) {
             av_log(s, AV_LOG_ERROR, "Invalid parameters for audio track %d.\n",
                    audio_track);
             ret = AVERROR_INVALIDDATA;
-- 
1.7.9.4

_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel

[libav-devel] [PATCH 17/18] xmv: Add more sanity checks for parameters read from the bitstream

Reply via email to