[FFmpeg-devel] [PATCH] aiffdec: fix division by zero
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Mon Oct 17 19:27:29 EEST 2016
On 17.10.2016 17:13, Michael Niedermayer wrote:
> On Mon, Oct 17, 2016 at 04:17:35PM +0200, Andreas Cadhalpun wrote:
>> On 17.10.2016 05:43, Michael Niedermayer wrote:
>>> On Sun, Oct 16, 2016 at 10:38:42PM +0200, Andreas Cadhalpun wrote:
>>>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
>>>> ---
>>>> libavformat/aiffdec.c | 2 +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c
>>>> index cd916f9..de82787 100644
>>>> --- a/libavformat/aiffdec.c
>>>> +++ b/libavformat/aiffdec.c
>>>> @@ -380,7 +380,7 @@ static int aiff_read_packet(AVFormatContext *s,
>>>> size = st->codecpar->block_align;
>>>> break;
>>>> default:
>>>> - size = (MAX_SIZE / st->codecpar->block_align) * st->codecpar->block_align;
>>>> + size = st->codecpar->block_align ? (MAX_SIZE / st->codecpar->block_align) * st->codecpar->block_align : MAX_SIZE;
>>>
>>> how do you reach block_align == 0 ?
>>> aiff_read_header() checks for block_align == 0
>>
>> I'm not aware of a way to reproduce this with the ffmpeg binary, however
>> an API user (e.g. my fuzz-testing-program) can change codecpar->codec_type
>> and codecpar->codec_id to force decoding a stream with a particular codec.
>>
>> However, avcodec_parameters_from_context sets codecpar->block_align to 0
>> for AVMEDIA_TYPE_VIDEO thus causing the subsequent crash.
>
> hmm, patch is probably ok then
Pushed.
What about the similar patches for astdec and westwood_aud?
Best regards,
Andreas
More information about the ffmpeg-devel
mailing list