Browse code
rmdec: Reject invalid deinterleaving parameters
Signed-off-by: Martin Storsjö <martin@martin.st>
Laurent Aimar authored on 2011/09/17 07:05:13Showing 1 changed files
| ... | ... |
@@ -194,18 +194,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, |
| 194 | 194 |
st->codec->codec_id = ff_codec_get_id(ff_rm_codec_tags, |
| 195 | 195 |
st->codec->codec_tag); |
| 196 | 196 |
|
| 197 |
- switch (ast->deint_id) {
|
|
| 198 |
- case DEINT_ID_GENR: |
|
| 199 |
- case DEINT_ID_INT0: |
|
| 200 |
- case DEINT_ID_INT4: |
|
| 201 |
- case DEINT_ID_SIPR: |
|
| 202 |
- case DEINT_ID_VBRS: |
|
| 203 |
- case DEINT_ID_VBRF: |
|
| 204 |
- break; |
|
| 205 |
- default: |
|
| 206 |
- av_log(NULL,0,"Unknown interleaver %X\n", ast->deint_id); |
|
| 207 |
- return AVERROR_INVALIDDATA; |
|
| 208 |
- } |
|
| 209 | 197 |
switch (st->codec->codec_id) {
|
| 210 | 198 |
case CODEC_ID_AC3: |
| 211 | 199 |
st->need_parsing = AVSTREAM_PARSE_FULL; |
| ... | ... |
@@ -214,13 +202,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, |
| 214 | 214 |
st->codec->extradata_size= 0; |
| 215 | 215 |
ast->audio_framesize = st->codec->block_align; |
| 216 | 216 |
st->codec->block_align = coded_framesize; |
| 217 |
- |
|
| 218 |
- if(ast->audio_framesize >= UINT_MAX / sub_packet_h){
|
|
| 219 |
- av_log(s, AV_LOG_ERROR, "ast->audio_framesize * sub_packet_h too large\n"); |
|
| 220 |
- return -1; |
|
| 221 |
- } |
|
| 222 |
- |
|
| 223 |
- av_new_packet(&ast->pkt, ast->audio_framesize * sub_packet_h); |
|
| 224 | 217 |
break; |
| 225 | 218 |
case CODEC_ID_COOK: |
| 226 | 219 |
case CODEC_ID_ATRAC3: |
| ... | ... |
@@ -251,13 +232,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, |
| 251 | 251 |
} |
| 252 | 252 |
if ((ret = rm_read_extradata(pb, st->codec, codecdata_length)) < 0) |
| 253 | 253 |
return ret; |
| 254 |
- |
|
| 255 |
- if(ast->audio_framesize >= UINT_MAX / sub_packet_h){
|
|
| 256 |
- av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h too large\n"); |
|
| 257 |
- return -1; |
|
| 258 |
- } |
|
| 259 |
- |
|
| 260 |
- av_new_packet(&ast->pkt, ast->audio_framesize * sub_packet_h); |
|
| 261 | 254 |
break; |
| 262 | 255 |
case CODEC_ID_AAC: |
| 263 | 256 |
avio_rb16(pb); avio_r8(pb); |
| ... | ... |
@@ -277,6 +251,37 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, |
| 277 | 277 |
default: |
| 278 | 278 |
av_strlcpy(st->codec->codec_name, buf, sizeof(st->codec->codec_name)); |
| 279 | 279 |
} |
| 280 |
+ if (ast->deint_id == DEINT_ID_INT4 || |
|
| 281 |
+ ast->deint_id == DEINT_ID_GENR || |
|
| 282 |
+ ast->deint_id == DEINT_ID_SIPR) {
|
|
| 283 |
+ if (st->codec->block_align <= 0 || |
|
| 284 |
+ ast->audio_framesize * sub_packet_h > (unsigned)INT_MAX || |
|
| 285 |
+ ast->audio_framesize * sub_packet_h < st->codec->block_align) |
|
| 286 |
+ return AVERROR_INVALIDDATA; |
|
| 287 |
+ if (av_new_packet(&ast->pkt, ast->audio_framesize * sub_packet_h) < 0) |
|
| 288 |
+ return AVERROR(ENOMEM); |
|
| 289 |
+ } |
|
| 290 |
+ switch (ast->deint_id) {
|
|
| 291 |
+ case DEINT_ID_INT4: |
|
| 292 |
+ if (ast->coded_framesize > ast->audio_framesize || |
|
| 293 |
+ ast->coded_framesize * sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) |
|
| 294 |
+ return AVERROR_INVALIDDATA; |
|
| 295 |
+ break; |
|
| 296 |
+ case DEINT_ID_GENR: |
|
| 297 |
+ if (ast->sub_packet_size <= 0 || |
|
| 298 |
+ ast->sub_packet_size > ast->audio_framesize) |
|
| 299 |
+ return AVERROR_INVALIDDATA; |
|
| 300 |
+ break; |
|
| 301 |
+ case DEINT_ID_SIPR: |
|
| 302 |
+ case DEINT_ID_INT0: |
|
| 303 |
+ case DEINT_ID_VBRS: |
|
| 304 |
+ case DEINT_ID_VBRF: |
|
| 305 |
+ break; |
|
| 306 |
+ default: |
|
| 307 |
+ av_log(NULL,0,"Unknown interleaver %X\n", ast->deint_id); |
|
| 308 |
+ return AVERROR_INVALIDDATA; |
|
| 309 |
+ } |
|
| 310 |
+ |
|
| 280 | 311 |
if (read_all) {
|
| 281 | 312 |
avio_r8(pb); |
| 282 | 313 |
avio_r8(pb); |