From e447a4d112bcfee10126c54eb4481fa8712957c8 Mon Sep 17 00:00:00 2001 From: Mattias Wadman Date: Wed, 30 Oct 2019 14:01:28 +0100 Subject: [PATCH] libavformat/flacenc: reject too big picture blocks A too big picture will case the muxer to write a truncated block size (uint24) causing the output file to be corrupt. How to reproduce: Write a file with truncated block size: ffmpeg -y -f lavfi -i sine -f lavfi -i color=red:size=2400x2400 -map 0:a:0 -map 1:v:0 -c:v:0 bmp -disposition:1 attached_pic -t 1 test.flac Try to decode: ffmpeg -i test.flac test.wav Signed-off-by: Mattias Wadman Signed-off-by: Michael Niedermayer --- libavformat/flacenc.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavformat/flacenc.c b/libavformat/flacenc.c index 93cc79bbe0..abbed38f89 100644 --- a/libavformat/flacenc.c +++ b/libavformat/flacenc.c @@ -93,7 +93,7 @@ static int flac_write_picture(struct AVFormatContext *s, AVPacket *pkt) AVDictionaryEntry *e; const char *mimetype = NULL, *desc = ""; const AVStream *st = s->streams[pkt->stream_index]; - int i, mimelen, desclen, type = 0; + int i, mimelen, desclen, type = 0, blocklen; if (!pkt->data) return 0; @@ -140,8 +140,14 @@ static int flac_write_picture(struct AVFormatContext *s, AVPacket *pkt) desc = e->value; desclen = strlen(desc); + blocklen = 4 + 4 + mimelen + 4 + desclen + 4 + 4 + 4 + 4 + 4 + pkt->size; + if (blocklen >= 1<<24) { + av_log(s, AV_LOG_ERROR, "Picture block too big %d >= %d\n", blocklen, 1<<24); + return AVERROR(EINVAL); + } + avio_w8(pb, 0x06); - avio_wb24(pb, 4 + 4 + mimelen + 4 + desclen + 4 + 4 + 4 + 4 + 4 + pkt->size); + avio_wb24(pb, blocklen); avio_wb32(pb, type);