[FFmpeg-devel] [PATCH 4/9] genh: prevent overflow during block alignment calculation

Ronald S. Bultje rsbultje at gmail.com
Sat Jan 7 14:42:40 EET 2017


Hi,

On Fri, Jan 6, 2017 at 8:43 PM, Michael Niedermayer <michael at niedermayer.cc>
wrote:

> On Fri, Jan 06, 2017 at 08:48:02PM +0100, Andreas Cadhalpun wrote:
> > Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> > ---
> >  libavformat/genh.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/libavformat/genh.c b/libavformat/genh.c
> > index b683e026d1..6ce2588ed3 100644
> > --- a/libavformat/genh.c
> > +++ b/libavformat/genh.c
> > @@ -74,6 +74,7 @@ static int genh_read_header(AVFormatContext *s)
> >      case  0: st->codecpar->codec_id = AV_CODEC_ID_ADPCM_PSX;
> break;
> >      case  1:
> >      case 11: st->codecpar->bits_per_coded_sample = 4;
> > +             FF_RETURN_ON_OVERFLOW(s, st->codecpar->channels > INT_MAX
> / 36)
> >               st->codecpar->block_align = 36 * st->codecpar->channels;
> >               st->codecpar->codec_id = AV_CODEC_ID_ADPCM_IMA_WAV;
> break;
> >      case  2: st->codecpar->codec_id = AV_CODEC_ID_ADPCM_DTK;
> break;
>
> i see a channels * 1024 in genh_read_packet()
> is the added check sufficient ?
>
> also i think we should ask for a sample for a file that has a
> channel count beyond normal bounds


Not in this code. Such generic channel sanity checks belong in utils.c, not
here, and should not be invoked by the demuxer explicitly, but always run
as integral part of read_header or add_stream or so.

Ronald


More information about the ffmpeg-devel mailing list