1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-13 21:28:01 +02:00
FFmpeg/libavformat/shortendec.c
Michael Niedermayer ea770eb559 avformat/shortendec: Check k in probe
Fixes: Assertion failure
Fixes: 17640/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5708767475269632

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-10-16 19:17:57 +02:00

81 lines
2.6 KiB
C

/*
* Shorten demuxer
* Copyright (c) 2001 Fabrice Bellard
* Copyright (c) 2005 Alex Beregszaszi
* Copyright (c) 2015 Carl Eugen Hoyos
*
* This file is part of FFmpeg.
*
* FFmpeg is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* FFmpeg is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with FFmpeg; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include "avformat.h"
#include "rawdec.h"
#include "libavcodec/golomb.h"
static int shn_probe(const AVProbeData *p)
{
GetBitContext gb;
int version, internal_ftype, channels, blocksize;
if (AV_RB32(p->buf) != 0x616a6b67)
return 0;
version = p->buf[4];
if (init_get_bits8(&gb, p->buf + 5, p->buf_size - 5 - AV_INPUT_BUFFER_PADDING_SIZE) < 0)
return 0;
if (!version) {
internal_ftype = get_ur_golomb_shorten(&gb, 4);
channels = get_ur_golomb_shorten(&gb, 0);
blocksize = 256;
} else {
unsigned k;
k = get_ur_golomb_shorten(&gb, 2);
if (k > 31)
return 0;
internal_ftype = get_ur_golomb_shorten(&gb, k);
k = get_ur_golomb_shorten(&gb, 2);
if (k > 31)
return 0;
channels = get_ur_golomb_shorten(&gb, k);
k = get_ur_golomb_shorten(&gb, 2);
if (k > 31)
return 0;
blocksize = get_ur_golomb_shorten(&gb, k);
}
if (internal_ftype != 2 && internal_ftype != 3 && internal_ftype != 5)
return 0;
if (channels < 1 || channels > 8)
return 0;
if (blocksize < 1 || blocksize > 65535)
return 0;
return AVPROBE_SCORE_EXTENSION + 1;
}
FF_RAW_DEMUXER_CLASS(shorten)
AVInputFormat ff_shorten_demuxer = {
.name = "shn",
.long_name = NULL_IF_CONFIG_SMALL("raw Shorten"),
.read_probe = shn_probe,
.read_header = ff_raw_audio_read_header,
.read_packet = ff_raw_read_partial_packet,
.flags = AVFMT_NOBINSEARCH | AVFMT_NOGENSEARCH | AVFMT_NO_BYTE_SEEK | AVFMT_NOTIMESTAMPS,
.extensions = "shn",
.raw_codec_id = AV_CODEC_ID_SHORTEN,
.priv_data_size = sizeof(FFRawDemuxerContext),
.priv_class = &shorten_demuxer_class,
};