xmv: Add more sanity checks for parameters read from the bitstream
Since the number of channels is multiplied by 36 and assigned to
to a uint16_t, make sure this calculation didn't overflow. (In
certain cases the calculation could overflow leaving the
truncated block_align at 0, leading to divisions by zero later.)
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d4c2a3740f)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
			
			
This commit is contained in:
		 Martin Storsjö
					Martin Storsjö
				
			
				
					committed by
					
						 Luca Barbato
						Luca Barbato
					
				
			
			
				
	
			
			
			 Luca Barbato
						Luca Barbato
					
				
			
						parent
						
							3706c22992
						
					
				
				
					commit
					00516b5491
				
			| @@ -43,6 +43,8 @@ | ||||
|                            XMV_AUDIO_ADPCM51_FRONTCENTERLOW | \ | ||||
|                            XMV_AUDIO_ADPCM51_REARLEFTRIGHT) | ||||
|  | ||||
| #define XMV_BLOCK_ALIGN_SIZE 36 | ||||
|  | ||||
| typedef struct XMVAudioTrack { | ||||
|     uint16_t compression; | ||||
|     uint16_t channels; | ||||
| @@ -207,7 +209,7 @@ static int xmv_read_header(AVFormatContext *s) | ||||
|         track->bit_rate      = track->bits_per_sample * | ||||
|                                track->sample_rate * | ||||
|                                track->channels; | ||||
|         track->block_align   = 36 * track->channels; | ||||
|         track->block_align   = XMV_BLOCK_ALIGN_SIZE * track->channels; | ||||
|         track->block_samples = 64; | ||||
|         track->codec_id      = ff_wav_codec_get_id(track->compression, | ||||
|                                                    track->bits_per_sample); | ||||
| @@ -224,7 +226,8 @@ static int xmv_read_header(AVFormatContext *s) | ||||
|             av_log(s, AV_LOG_WARNING, "Unsupported 5.1 ADPCM audio stream " | ||||
|                                       "(0x%04X)\n", track->flags); | ||||
|  | ||||
|         if (!track->channels || !track->sample_rate) { | ||||
|         if (!track->channels || !track->sample_rate || | ||||
|              track->channels >= UINT16_MAX / XMV_BLOCK_ALIGN_SIZE) { | ||||
|             av_log(s, AV_LOG_ERROR, "Invalid parameters for audio track %d.\n", | ||||
|                    audio_track); | ||||
|             ret = AVERROR_INVALIDDATA; | ||||
|   | ||||
		Reference in New Issue
	
	Block a user