mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-12-23 12:43:46 +02:00
rmdec: Reject invalid deinterleaving parameters
Signed-off-by: Martin Storsjö <martin@martin.st>
This commit is contained in:
parent
b4ed3d78cb
commit
f06068bbd6
@ -194,18 +194,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb,
|
|||||||
st->codec->codec_id = ff_codec_get_id(ff_rm_codec_tags,
|
st->codec->codec_id = ff_codec_get_id(ff_rm_codec_tags,
|
||||||
st->codec->codec_tag);
|
st->codec->codec_tag);
|
||||||
|
|
||||||
switch (ast->deint_id) {
|
|
||||||
case DEINT_ID_GENR:
|
|
||||||
case DEINT_ID_INT0:
|
|
||||||
case DEINT_ID_INT4:
|
|
||||||
case DEINT_ID_SIPR:
|
|
||||||
case DEINT_ID_VBRS:
|
|
||||||
case DEINT_ID_VBRF:
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
av_log(NULL,0,"Unknown interleaver %X\n", ast->deint_id);
|
|
||||||
return AVERROR_INVALIDDATA;
|
|
||||||
}
|
|
||||||
switch (st->codec->codec_id) {
|
switch (st->codec->codec_id) {
|
||||||
case CODEC_ID_AC3:
|
case CODEC_ID_AC3:
|
||||||
st->need_parsing = AVSTREAM_PARSE_FULL;
|
st->need_parsing = AVSTREAM_PARSE_FULL;
|
||||||
@ -214,13 +202,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb,
|
|||||||
st->codec->extradata_size= 0;
|
st->codec->extradata_size= 0;
|
||||||
ast->audio_framesize = st->codec->block_align;
|
ast->audio_framesize = st->codec->block_align;
|
||||||
st->codec->block_align = coded_framesize;
|
st->codec->block_align = coded_framesize;
|
||||||
|
|
||||||
if(ast->audio_framesize >= UINT_MAX / sub_packet_h){
|
|
||||||
av_log(s, AV_LOG_ERROR, "ast->audio_framesize * sub_packet_h too large\n");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
av_new_packet(&ast->pkt, ast->audio_framesize * sub_packet_h);
|
|
||||||
break;
|
break;
|
||||||
case CODEC_ID_COOK:
|
case CODEC_ID_COOK:
|
||||||
case CODEC_ID_ATRAC3:
|
case CODEC_ID_ATRAC3:
|
||||||
@ -251,13 +232,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb,
|
|||||||
}
|
}
|
||||||
if ((ret = rm_read_extradata(pb, st->codec, codecdata_length)) < 0)
|
if ((ret = rm_read_extradata(pb, st->codec, codecdata_length)) < 0)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
if(ast->audio_framesize >= UINT_MAX / sub_packet_h){
|
|
||||||
av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h too large\n");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
av_new_packet(&ast->pkt, ast->audio_framesize * sub_packet_h);
|
|
||||||
break;
|
break;
|
||||||
case CODEC_ID_AAC:
|
case CODEC_ID_AAC:
|
||||||
avio_rb16(pb); avio_r8(pb);
|
avio_rb16(pb); avio_r8(pb);
|
||||||
@ -277,6 +251,37 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb,
|
|||||||
default:
|
default:
|
||||||
av_strlcpy(st->codec->codec_name, buf, sizeof(st->codec->codec_name));
|
av_strlcpy(st->codec->codec_name, buf, sizeof(st->codec->codec_name));
|
||||||
}
|
}
|
||||||
|
if (ast->deint_id == DEINT_ID_INT4 ||
|
||||||
|
ast->deint_id == DEINT_ID_GENR ||
|
||||||
|
ast->deint_id == DEINT_ID_SIPR) {
|
||||||
|
if (st->codec->block_align <= 0 ||
|
||||||
|
ast->audio_framesize * sub_packet_h > (unsigned)INT_MAX ||
|
||||||
|
ast->audio_framesize * sub_packet_h < st->codec->block_align)
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
if (av_new_packet(&ast->pkt, ast->audio_framesize * sub_packet_h) < 0)
|
||||||
|
return AVERROR(ENOMEM);
|
||||||
|
}
|
||||||
|
switch (ast->deint_id) {
|
||||||
|
case DEINT_ID_INT4:
|
||||||
|
if (ast->coded_framesize > ast->audio_framesize ||
|
||||||
|
ast->coded_framesize * sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize)
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
break;
|
||||||
|
case DEINT_ID_GENR:
|
||||||
|
if (ast->sub_packet_size <= 0 ||
|
||||||
|
ast->sub_packet_size > ast->audio_framesize)
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
break;
|
||||||
|
case DEINT_ID_SIPR:
|
||||||
|
case DEINT_ID_INT0:
|
||||||
|
case DEINT_ID_VBRS:
|
||||||
|
case DEINT_ID_VBRF:
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
av_log(NULL,0,"Unknown interleaver %X\n", ast->deint_id);
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
}
|
||||||
|
|
||||||
if (read_all) {
|
if (read_all) {
|
||||||
avio_r8(pb);
|
avio_r8(pb);
|
||||||
avio_r8(pb);
|
avio_r8(pb);
|
||||||
|
Loading…
Reference in New Issue
Block a user