Browse code
Vorbis-in-Ogg: Do not set timebase to invalid values
Avoids an assert when the sample rate is invalid and the timebase
is thus set to e.g. 1/0.
Sample file is http://samples.mplayerhq.hu/ogg/fuzzed-srate-crash.ogg
This is a quick fix for a crash, not a final solution.
Signed-off-by: Mans Rullgard <mans@mansr.com>
Reimar Döffinger authored on 2011/01/29 08:52:50Showing 1 changed files
| ... | ... |
@@ -221,6 +221,7 @@ vorbis_header (AVFormatContext * s, int idx) |
| 221 | 221 |
if (os->buf[os->pstart] == 1) {
|
| 222 | 222 |
const uint8_t *p = os->buf + os->pstart + 7; /* skip "\001vorbis" tag */ |
| 223 | 223 |
unsigned blocksize, bs0, bs1; |
| 224 |
+ int srate; |
|
| 224 | 225 |
|
| 225 | 226 |
if (os->psize != 30) |
| 226 | 227 |
return -1; |
| ... | ... |
@@ -229,7 +230,7 @@ vorbis_header (AVFormatContext * s, int idx) |
| 229 | 229 |
return -1; |
| 230 | 230 |
|
| 231 | 231 |
st->codec->channels = bytestream_get_byte(&p); |
| 232 |
- st->codec->sample_rate = bytestream_get_le32(&p); |
|
| 232 |
+ srate = bytestream_get_le32(&p); |
|
| 233 | 233 |
p += 4; // skip maximum bitrate |
| 234 | 234 |
st->codec->bit_rate = bytestream_get_le32(&p); // nominal bitrate |
| 235 | 235 |
p += 4; // skip minimum bitrate |
| ... | ... |
@@ -249,8 +250,11 @@ vorbis_header (AVFormatContext * s, int idx) |
| 249 | 249 |
st->codec->codec_type = AVMEDIA_TYPE_AUDIO; |
| 250 | 250 |
st->codec->codec_id = CODEC_ID_VORBIS; |
| 251 | 251 |
|
| 252 |
- st->time_base.num = 1; |
|
| 253 |
- st->time_base.den = st->codec->sample_rate; |
|
| 252 |
+ if (srate > 0) {
|
|
| 253 |
+ st->codec->sample_rate = srate; |
|
| 254 |
+ st->time_base.num = 1; |
|
| 255 |
+ st->time_base.den = srate; |
|
| 256 |
+ } |
|
| 254 | 257 |
} else if (os->buf[os->pstart] == 3) {
|
| 255 | 258 |
if (os->psize > 8) |
| 256 | 259 |
ff_vorbis_comment (s, &st->metadata, os->buf + os->pstart + 7, os->psize - 8); |