From b88f902125ee808c8366e9dcb3f21e4c227483fc Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Mar 2013 10:09:36 +0100 Subject: [PATCH 1/2] bmv: check for len being valid in bmv_decode_frame(). It can be 0 or -1 for invalid files, which may result in invalid memory access. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org --- libavcodec/bmv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bmv.c b/libavcodec/bmv.c index b6b685b556..941051ba7f 100644 --- a/libavcodec/bmv.c +++ b/libavcodec/bmv.c @@ -135,7 +135,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, mode += 1 + advance_mode; if (mode >= 4) mode -= 3; - if (FFABS(dst_end - dst) < len) + if (len <= 0 || FFABS(dst_end - dst) < len) return AVERROR_INVALIDDATA; switch (mode) { case 1: From d1016dccdcb10486245e5d7c186cc31af54b2a9c Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Mar 2013 10:33:02 +0100 Subject: [PATCH 2/2] xmv: check audio track parameters validity. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org --- libavformat/xmv.c | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index d638ad1ef4..e9b2b0d51e 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -126,6 +126,16 @@ static int xmv_probe(AVProbeData *p) return 0; } +static int xmv_read_close(AVFormatContext *s) +{ + XMVDemuxContext *xmv = s->priv_data; + + av_free(xmv->audio); + av_free(xmv->audio_tracks); + + return 0; +} + static int xmv_read_header(AVFormatContext *s) { XMVDemuxContext *xmv = s->priv_data; @@ -135,6 +145,7 @@ static int xmv_read_header(AVFormatContext *s) uint32_t file_version; uint32_t this_packet_size; uint16_t audio_track; + int ret; avio_skip(pb, 4); /* Next packet size */ @@ -211,6 +222,13 @@ static int xmv_read_header(AVFormatContext *s) av_log(s, AV_LOG_WARNING, "Unsupported 5.1 ADPCM audio stream " "(0x%04X)\n", track->flags); + if (!track->channels || !track->sample_rate) { + av_log(s, AV_LOG_ERROR, "Invalid parameters for audio track %d.\n", + audio_track); + ret = AVERROR_INVALIDDATA; + goto fail; + } + ast = avformat_new_stream(s, NULL); if (!ast) return AVERROR(ENOMEM); @@ -239,6 +257,10 @@ static int xmv_read_header(AVFormatContext *s) xmv->stream_count = xmv->audio_track_count + 1; return 0; + +fail: + xmv_read_close(s); + return ret; } static void xmv_read_extradata(uint8_t *extradata, AVIOContext *pb) @@ -546,16 +568,6 @@ static int xmv_read_packet(AVFormatContext *s, return 0; } -static int xmv_read_close(AVFormatContext *s) -{ - XMVDemuxContext *xmv = s->priv_data; - - av_free(xmv->audio); - av_free(xmv->audio_tracks); - - return 0; -} - AVInputFormat ff_xmv_demuxer = { .name = "xmv", .long_name = NULL_IF_CONFIG_SMALL("Microsoft XMV"),