virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-10-30 23:18:11 +02:00
Code Issues Releases Activity

avformat/oggparsespeex: Check frames_per_packet and packet_size

Browse Source 
The speex specification does not seem to restrict these values, thus
the limits where choosen so as to avoid multiplicative overflow

Fixes undefined behavior
Fixes: 635422.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2016-12-03 03:40:55 +01:00
parent 90da187f1d
commit afcf15b0db
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
libavformat/oggparsespeex.c
View File

@@ -82,6 +82,13 @@ static int speex_header(AVFormatContext *s, int idx) {
spxp->packet_size = AV_RL32(p + 56);
frames_per_packet = AV_RL32(p + 64);
if (spxp->packet_size < 0 ||
frames_per_packet < 0 ||
spxp->packet_size * (int64_t)frames_per_packet > INT32_MAX / 256) {
av_log(s, AV_LOG_ERROR, "invalid packet_size, frames_per_packet %d %d\n", spxp->packet_size, frames_per_packet);
spxp->packet_size = 0;
return AVERROR_INVALIDDATA;
}
if (frames_per_packet)
spxp->packet_size *= frames_per_packet;