Browse code
adtsenc: Check frame size.
Inspired by work from: Michael Niedermayer <michaelni@gmx.at>.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
Alex Converse authored on 2011/11/28 17:48:53Showing 2 changed files
| ... | ... |
@@ -27,6 +27,8 @@ |
| 27 | 27 |
#include "avformat.h" |
| 28 | 28 |
#include "adts.h" |
| 29 | 29 |
|
| 30 |
+#define ADTS_MAX_FRAME_BYTES ((1 << 13) - 1) |
|
| 31 |
+ |
|
| 30 | 32 |
int ff_adts_decode_extradata(AVFormatContext *s, ADTSContext *adts, uint8_t *buf, int size) |
| 31 | 33 |
{
|
| 32 | 34 |
GetBitContext gb; |
| ... | ... |
@@ -93,6 +95,13 @@ int ff_adts_write_frame_header(ADTSContext *ctx, |
| 93 | 93 |
{
|
| 94 | 94 |
PutBitContext pb; |
| 95 | 95 |
|
| 96 |
+ unsigned full_frame_size = (unsigned)ADTS_HEADER_SIZE + size + pce_size; |
|
| 97 |
+ if (full_frame_size > ADTS_MAX_FRAME_BYTES) {
|
|
| 98 |
+ av_log(NULL, AV_LOG_ERROR, "ADTS frame size too large: %u (max %d)\n", |
|
| 99 |
+ full_frame_size, ADTS_MAX_FRAME_BYTES); |
|
| 100 |
+ return AVERROR_INVALIDDATA; |
|
| 101 |
+ } |
|
| 102 |
+ |
|
| 96 | 103 |
init_put_bits(&pb, buf, ADTS_HEADER_SIZE); |
| 97 | 104 |
|
| 98 | 105 |
/* adts_fixed_header */ |
| ... | ... |
@@ -110,7 +119,7 @@ int ff_adts_write_frame_header(ADTSContext *ctx, |
| 110 | 110 |
/* adts_variable_header */ |
| 111 | 111 |
put_bits(&pb, 1, 0); /* copyright_identification_bit */ |
| 112 | 112 |
put_bits(&pb, 1, 0); /* copyright_identification_start */ |
| 113 |
- put_bits(&pb, 13, ADTS_HEADER_SIZE + size + pce_size); /* aac_frame_length */ |
|
| 113 |
+ put_bits(&pb, 13, full_frame_size); /* aac_frame_length */ |
|
| 114 | 114 |
put_bits(&pb, 11, 0x7ff); /* adts_buffer_fullness */ |
| 115 | 115 |
put_bits(&pb, 2, 0); /* number_of_raw_data_blocks_in_frame */ |
| 116 | 116 |
|
| ... | ... |
@@ -128,7 +137,10 @@ static int adts_write_packet(AVFormatContext *s, AVPacket *pkt) |
| 128 | 128 |
if (!pkt->size) |
| 129 | 129 |
return 0; |
| 130 | 130 |
if (adts->write_adts) {
|
| 131 |
- ff_adts_write_frame_header(adts, buf, pkt->size, adts->pce_size); |
|
| 131 |
+ int err = ff_adts_write_frame_header(adts, buf, pkt->size, |
|
| 132 |
+ adts->pce_size); |
|
| 133 |
+ if (err < 0) |
|
| 134 |
+ return err; |
|
| 132 | 135 |
avio_write(pb, buf, ADTS_HEADER_SIZE); |
| 133 | 136 |
if (adts->pce_size) {
|
| 134 | 137 |
avio_write(pb, adts->pce_data, adts->pce_size); |
| ... | ... |
@@ -971,7 +971,7 @@ static int mpegts_write_packet(AVFormatContext *s, AVPacket *pkt) |
| 971 | 971 |
return -1; |
| 972 | 972 |
if ((AV_RB16(pkt->data) & 0xfff0) != 0xfff0) {
|
| 973 | 973 |
ADTSContext *adts = ts_st->adts; |
| 974 |
- int new_size; |
|
| 974 |
+ int new_size, err; |
|
| 975 | 975 |
if (!adts) {
|
| 976 | 976 |
av_log(s, AV_LOG_ERROR, "aac bitstream not in adts format " |
| 977 | 977 |
"and extradata missing\n"); |
| ... | ... |
@@ -983,7 +983,12 @@ static int mpegts_write_packet(AVFormatContext *s, AVPacket *pkt) |
| 983 | 983 |
data = av_malloc(new_size); |
| 984 | 984 |
if (!data) |
| 985 | 985 |
return AVERROR(ENOMEM); |
| 986 |
- ff_adts_write_frame_header(adts, data, pkt->size, adts->pce_size); |
|
| 986 |
+ err = ff_adts_write_frame_header(adts, data, pkt->size, |
|
| 987 |
+ adts->pce_size); |
|
| 988 |
+ if (err < 0) {
|
|
| 989 |
+ av_free(data); |
|
| 990 |
+ return err; |
|
| 991 |
+ } |
|
| 987 | 992 |
if (adts->pce_size) {
|
| 988 | 993 |
memcpy(data+ADTS_HEADER_SIZE, adts->pce_data, adts->pce_size); |
| 989 | 994 |
adts->pce_size = 0; |