xmv: Add more sanity checks for parameters read from the bitstream

Message ID 1379423151-16717-1-git-send-email-martin@martin.st
State Committed
Commit d4c2a3740fb95f952a87ba320d2bf31f126bdf68
Headers show

Commit Message

Martin Storsjö Sept. 17, 2013, 1:05 p.m.
Since the number of channels is multiplied by 36 and assigned to
to a uint16_t, make sure this calculation didn't overflow. (In
certain cases the calculation could overflow leaving the
truncated block_align at 0, leading to divisions by zero later.)

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
---
 libavformat/xmv.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

Comments

Luca Barbato Sept. 17, 2013, 1:38 p.m. | #1
On 17/09/13 15:05, Martin Storsjö wrote:
> Since the number of channels is multiplied by 36 and assigned to
> to a uint16_t, make sure this calculation didn't overflow. (In
> certain cases the calculation could overflow leaving the
> truncated block_align at 0, leading to divisions by zero later.)
> 

Ok.

Patch

diff --git a/libavformat/xmv.c b/libavformat/xmv.c
index bc7c3c9..2b2fd45 100644
--- a/libavformat/xmv.c
+++ b/libavformat/xmv.c
@@ -43,6 +43,8 @@ 
                            XMV_AUDIO_ADPCM51_FRONTCENTERLOW | \
                            XMV_AUDIO_ADPCM51_REARLEFTRIGHT)
 
+#define XMV_BLOCK_ALIGN_SIZE 36
+
 typedef struct XMVAudioTrack {
     uint16_t compression;
     uint16_t channels;
@@ -207,7 +209,7 @@  static int xmv_read_header(AVFormatContext *s)
         track->bit_rate      = track->bits_per_sample *
                                track->sample_rate *
                                track->channels;
-        track->block_align   = 36 * track->channels;
+        track->block_align   = XMV_BLOCK_ALIGN_SIZE * track->channels;
         track->block_samples = 64;
         track->codec_id      = ff_wav_codec_get_id(track->compression,
                                                    track->bits_per_sample);
@@ -224,7 +226,8 @@  static int xmv_read_header(AVFormatContext *s)
             av_log(s, AV_LOG_WARNING, "Unsupported 5.1 ADPCM audio stream "
                                       "(0x%04X)\n", track->flags);
 
-        if (!track->channels || !track->sample_rate) {
+        if (!track->channels || !track->sample_rate ||
+             track->channels >= UINT16_MAX / XMV_BLOCK_ALIGN_SIZE) {
             av_log(s, AV_LOG_ERROR, "Invalid parameters for audio track %d.\n",
                    audio_track);
             ret = AVERROR_INVALIDDATA;