mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-12-23 12:43:46 +02:00
tta: prevents overflows for 32bit integers in header.
This prevents sample_rate/data_length from going negative, which caused various crashes and undefined behaviour further down. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
This commit is contained in:
parent
77cfb2563c
commit
ac80b812cd
@ -61,7 +61,8 @@ typedef struct TTAContext {
|
||||
GetBitContext gb;
|
||||
const AVCRC *crc_table;
|
||||
|
||||
int format, channels, bps, data_length;
|
||||
int format, channels, bps;
|
||||
unsigned data_length;
|
||||
int frame_length, last_frame_length, total_frames;
|
||||
|
||||
int32_t *decode_buffer;
|
||||
@ -253,7 +254,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx)
|
||||
}
|
||||
|
||||
// prevent overflow
|
||||
if (avctx->sample_rate > 0x7FFFFF) {
|
||||
if (avctx->sample_rate > 0x7FFFFFu) {
|
||||
av_log(avctx, AV_LOG_ERROR, "sample_rate too large\n");
|
||||
return AVERROR(EINVAL);
|
||||
}
|
||||
@ -270,7 +271,8 @@ static av_cold int tta_decode_init(AVCodecContext * avctx)
|
||||
s->data_length, s->frame_length, s->last_frame_length, s->total_frames);
|
||||
|
||||
// FIXME: seek table
|
||||
if (get_bits_left(&s->gb) < 32 * s->total_frames + 32)
|
||||
if (avctx->extradata_size <= 26 || s->total_frames > INT_MAX / 4 ||
|
||||
avctx->extradata_size - 26 < s->total_frames * 4)
|
||||
av_log(avctx, AV_LOG_WARNING, "Seek table missing or too small\n");
|
||||
else if (avctx->err_recognition & AV_EF_CRCCHECK) {
|
||||
if (tta_check_crc(s, avctx->extradata + 22, s->total_frames * 4))
|
||||
|
Loading…
Reference in New Issue
Block a user