avformat/matroskadec: Reject sipr flavor > 3

Only flavors 0..3 seem to exist. E.g. rmdec.c treats any flavor > 3 as invalid data. Furthermore, we do not know how big the packets to create ought to be given that for sipr these values are not read from the bitstream, but from a table. Furthermore, flavor is only used for sipr, so only check it for sipr; rmdec.c does the same. (The old check for flavor being < 0 was always wrong given that flavor is an int that is read via avio_rb16(), so it has been removed completely.) Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2024-12-23 12:43:46 +02:00 · 2019-12-02 10:41:12 +01:00 · 2019-12-02 10:41:12 +01:00 · 8287c20153
commit 8287c20153
parent 9dd2587f60
1 changed files with 9 additions and 7 deletions
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@ -2606,28 +2606,30 @@ static int matroska_parse_tracks(AVFormatContext *s)
            track->audio.sub_packet_h    = avio_rb16(&b);
            track->audio.frame_size      = avio_rb16(&b);
            track->audio.sub_packet_size = avio_rb16(&b);
-            if (flavor                        < 0 ||
-                track->audio.coded_framesize <= 0 ||
+            if (track->audio.coded_framesize <= 0 ||
                track->audio.sub_packet_h    <= 0 ||
                track->audio.frame_size      <= 0 ||
                track->audio.sub_packet_size <= 0 && codec_id != AV_CODEC_ID_SIPR)
                return AVERROR_INVALIDDATA;
-            track->audio.buf = av_malloc_array(track->audio.sub_packet_h,
-                                               track->audio.frame_size);
-            if (!track->audio.buf)
-                return AVERROR(ENOMEM);
+
            if (codec_id == AV_CODEC_ID_RA_288) {
                st->codecpar->block_align = track->audio.coded_framesize;
                track->codec_priv.size = 0;
            } else {
-                if (codec_id == AV_CODEC_ID_SIPR && flavor < 4) {
+                if (codec_id == AV_CODEC_ID_SIPR) {
                    static const int sipr_bit_rate[4] = { 6504, 8496, 5000, 16000 };
+                    if (flavor > 3)
+                        return AVERROR_INVALIDDATA;
                    track->audio.sub_packet_size = ff_sipr_subpk_size[flavor];
                    st->codecpar->bit_rate          = sipr_bit_rate[flavor];
                }
                st->codecpar->block_align = track->audio.sub_packet_size;
                extradata_offset       = 78;
            }
+            track->audio.buf = av_malloc_array(track->audio.sub_packet_h,
+                                               track->audio.frame_size);
+            if (!track->audio.buf)
+                return AVERROR(ENOMEM);
        } else if (codec_id == AV_CODEC_ID_FLAC && track->codec_priv.size) {
            ret = matroska_parse_flac(s, track, &extradata_offset);
            if (ret < 0)