[FFmpeg-cvslog] matroskadec: validate audio channels and bitdepth

Andreas Cadhalpun git at videolan.org
Mon Jul 20 10:48:20 CEST 2015


ffmpeg | branch: release/2.6 | Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com> | Mon Jun 15 21:06:51 2015 +0200| [476cf3eb7e6f959bb2afe5959c86cb18f253eb26] | committer: Michael Niedermayer

matroskadec: validate audio channels and bitdepth

In the TTA extradata re-construction the values are written with
avio_wl16 and if they don't fit into uint16_t, this triggers an
av_assert2 in avio_w8.

Reviewed-by: Michael Niedermayer <michaelni at gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
(cherry picked from commit 92e79a2f7bf2f8bb0cb2d1a3e4d76737557071c4)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=476cf3eb7e6f959bb2afe5959c86cb18f253eb26
---

 libavformat/matroskadec.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index e8af60f..85e5c8a 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1855,6 +1855,18 @@ static int matroska_parse_tracks(AVFormatContext *s)
                               NULL, NULL, NULL, NULL);
             avio_write(&b, "TTA1", 4);
             avio_wl16(&b, 1);
+            if (track->audio.channels > UINT16_MAX ||
+                track->audio.bitdepth > UINT16_MAX) {
+                av_log(matroska->ctx, AV_LOG_WARNING,
+                       "Too large audio channel number %"PRIu64
+                       " or bitdepth %"PRIu64". Skipping track.\n",
+                       track->audio.channels, track->audio.bitdepth);
+                av_freep(&extradata);
+                if (matroska->ctx->error_recognition & AV_EF_EXPLODE)
+                    return AVERROR_INVALIDDATA;
+                else
+                    continue;
+            }
             avio_wl16(&b, track->audio.channels);
             avio_wl16(&b, track->audio.bitdepth);
             if (track->audio.out_samplerate < 0 || track->audio.out_samplerate > INT_MAX)



More information about the ffmpeg-cvslog mailing list