virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-08-04 22:03:09 +02:00
Code Issues Releases Activity

avcodec/qdm2: Use explicit overread checks instead of implicit ones

Browse Source 
If there were not enough data, checksum_size would be read
as zero (due to the implicit checks of the bytestream2 API)
and run into a "data block size invalid" error. Erroring out
earlier via "not enough extradata" is better.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This commit is contained in:
Andreas Rheinhardt
2025-03-14 02:58:33 +01:00
parent be7642b198
commit 60f49f4d92
1 changed files with 13 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
libavcodec/qdm2.c
View File

@ -1661,20 +1661,20 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
bytestream2_init(&gb, avctx->extradata, avctx->extradata_size); bytestream2_init(&gb, avctx->extradata, avctx->extradata_size);
while (bytestream2_get_bytes_left(&gb) > 8) { while (bytestream2_get_bytes_left(&gb) > 8) {
if (bytestream2_peek_be64(&gb) == (((uint64_t)MKBETAG('f','r','m','a') << 32) | if (bytestream2_peek_be64u(&gb) == (((uint64_t)MKBETAG('f','r','m','a') << 32) |
(uint64_t)MKBETAG('Q','D','M','2'))) (uint64_t)MKBETAG('Q','D','M','2')))
break; break;
bytestream2_skip(&gb, 1); bytestream2_skipu(&gb, 1);
} }
if (bytestream2_get_bytes_left(&gb) < 12) { if (bytestream2_get_bytes_left(&gb) < 44) {
av_log(avctx, AV_LOG_ERROR, "not enough extradata (%i)\n", av_log(avctx, AV_LOG_ERROR, "not enough extradata (%i)\n",
bytestream2_get_bytes_left(&gb)); bytestream2_get_bytes_left(&gb));
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
bytestream2_skip(&gb, 8); bytestream2_skipu(&gb, 8);
size = bytestream2_get_be32(&gb); size = bytestream2_get_be32u(&gb);
if (size > bytestream2_get_bytes_left(&gb)) { if (size > bytestream2_get_bytes_left(&gb)) {
av_log(avctx, AV_LOG_ERROR, "extradata size too small, %i < %i\n", av_log(avctx, AV_LOG_ERROR, "extradata size too small, %i < %i\n",
@ -1683,14 +1683,14 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
} }
av_log(avctx, AV_LOG_DEBUG, "size: %d\n", size); av_log(avctx, AV_LOG_DEBUG, "size: %d\n", size);
if (bytestream2_get_be32(&gb) != MKBETAG('Q','D','C','A')) { if (bytestream2_get_be32u(&gb) != MKBETAG('Q','D','C','A')) {
av_log(avctx, AV_LOG_ERROR, "invalid extradata, expecting QDCA\n"); av_log(avctx, AV_LOG_ERROR, "invalid extradata, expecting QDCA\n");
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
bytestream2_skip(&gb, 4); bytestream2_skipu(&gb, 4);
s->nb_channels = s->channels = bytestream2_get_be32(&gb); s->nb_channels = s->channels = bytestream2_get_be32u(&gb);
if (s->channels <= 0 || s->channels > MPA_MAX_CHANNELS) { if (s->channels <= 0 || s->channels > MPA_MAX_CHANNELS) {
av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n"); av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n");
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
@ -1698,11 +1698,11 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
av_channel_layout_uninit(&avctx->ch_layout); av_channel_layout_uninit(&avctx->ch_layout);
av_channel_layout_default(&avctx->ch_layout, s->channels); av_channel_layout_default(&avctx->ch_layout, s->channels);
avctx->sample_rate = bytestream2_get_be32(&gb); avctx->sample_rate = bytestream2_get_be32u(&gb);
avctx->bit_rate = bytestream2_get_be32(&gb); avctx->bit_rate = bytestream2_get_be32u(&gb);
s->group_size = bytestream2_get_be32(&gb); s->group_size = bytestream2_get_be32u(&gb);
s->fft_size = bytestream2_get_be32(&gb); s->fft_size = bytestream2_get_be32u(&gb);
s->checksum_size = bytestream2_get_be32(&gb); s->checksum_size = bytestream2_get_be32u(&gb);
if (s->checksum_size >= 1U << 28 || s->checksum_size <= 1) { if (s->checksum_size >= 1U << 28 || s->checksum_size <= 1) {
av_log(avctx, AV_LOG_ERROR, "data block size invalid (%u)\n", s->checksum_size); av_log(avctx, AV_LOG_ERROR, "data block size invalid (%u)\n", s->checksum_size);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;