[FFmpeg-devel] [libav-devel] [PATCH 2/2] matroskadec: validate audio channels and bitdepth

Hendrik Leppkes h.leppkes at gmail.com
Mon Jun 15 21:41:41 CEST 2015


On Mon, Jun 15, 2015 at 9:17 PM, Andreas Cadhalpun
<andreas.cadhalpun at googlemail.com> wrote:
> The values are written with avio_wl16 and if they don't fit into
> uint16_t, this triggers an av_assert2 in avio_w8.
>
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
>  libavformat/matroskadec.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
>
> diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
> index 81dd53f..7af03c9 100644
> --- a/libavformat/matroskadec.c
> +++ b/libavformat/matroskadec.c
> @@ -1889,6 +1889,14 @@ static int matroska_parse_tracks(AVFormatContext *s)
>                                NULL, NULL, NULL, NULL);
>              avio_write(&b, "TTA1", 4);
>              avio_wl16(&b, 1);
> +            if (track->audio.channels > UINT16_MAX ||
> +                track->audio.bitdepth > UINT16_MAX) {
> +                av_log(matroska->ctx, AV_LOG_ERROR,
> +                       "Too large audio channel number %"PRIu64
> +                       " or bitdepth %"PRIu64".\n",
> +                       track->audio.channels, track->audio.bitdepth);
> +                return AVERROR_INVALIDDATA;
> +            }
>              avio_wl16(&b, track->audio.channels);
>              avio_wl16(&b, track->audio.bitdepth);
>              if (track->audio.out_samplerate < 0 || track->audio.out_samplerate > INT_MAX)
> --

The commit message could clarify that this is in the TTA extradata
re-construction, because I was briefly confused why a demuxer would
"write" the sample rate.

Additionally, I would vote for using continue and just leaving this
track broken, instead of erroring out of reading entirely and making
reading the entire file impossible.

- Hendrik


More information about the ffmpeg-devel mailing list