mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-03-17 20:17:55 +02:00
avformat/oggparsespeex: Check frames_per_packet and packet_size
The speex specification does not seem to restrict these values, thus the limits where choosen so as to avoid multiplicative overflow Fixes undefined behavior Fixes: 635422.ogg Found-by: Matt Wolenetz <wolenetz@google.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit afcf15b0dbb4b6429be5083e50b296cdca61875e) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
66e8f87ebc
commit
e9003828dd
@ -76,6 +76,13 @@ static int speex_header(AVFormatContext *s, int idx) {
|
||||
|
||||
spxp->packet_size = AV_RL32(p + 56);
|
||||
frames_per_packet = AV_RL32(p + 64);
|
||||
if (spxp->packet_size < 0 ||
|
||||
frames_per_packet < 0 ||
|
||||
spxp->packet_size * (int64_t)frames_per_packet > INT32_MAX / 256) {
|
||||
av_log(s, AV_LOG_ERROR, "invalid packet_size, frames_per_packet %d %d\n", spxp->packet_size, frames_per_packet);
|
||||
spxp->packet_size = 0;
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
if (frames_per_packet)
|
||||
spxp->packet_size *= frames_per_packet;
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user