[FFmpeg-cvslog] latmenc: error out when packet size is too large.
Reimar Döffinger
git at videolan.org
Wed Apr 11 22:31:44 CEST 2012
ffmpeg | branch: master | Reimar Döffinger <Reimar.Doeffinger at gmx.de> | Tue Apr 10 21:11:50 2012 +0200| [8e357e8e759b36e5609ccd12a9e324aee0e8afc8] | committer: Reimar Döffinger
latmenc: error out when packet size is too large.
Previously it would just silently write out incorrect data.
This also fixes a potential integer overflow in the allocation.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger at gmx.de>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8e357e8e759b36e5609ccd12a9e324aee0e8afc8
---
libavformat/latmenc.c | 12 +++++++++++-
1 files changed, 11 insertions(+), 1 deletions(-)
diff --git a/libavformat/latmenc.c b/libavformat/latmenc.c
index 3eadfe0..3ee277d 100644
--- a/libavformat/latmenc.c
+++ b/libavformat/latmenc.c
@@ -138,7 +138,7 @@ static int latm_write_packet(AVFormatContext *s, AVPacket *pkt)
PutBitContext bs;
int i, len;
uint8_t loas_header[] = "\x56\xe0\x00";
- uint8_t *buf;
+ uint8_t *buf = NULL;
if (s->streams[0]->codec->codec_id == CODEC_ID_AAC_LATM)
return ff_raw_write_packet(s, pkt);
@@ -147,6 +147,8 @@ static int latm_write_packet(AVFormatContext *s, AVPacket *pkt)
av_log(s, AV_LOG_ERROR, "ADTS header detected - ADTS will not be incorrectly muxed into LATM\n");
return AVERROR_INVALIDDATA;
}
+ if (pkt->size > 0x1fff)
+ goto too_large;
buf = av_malloc(pkt->size+1024);
if (!buf)
@@ -173,6 +175,9 @@ static int latm_write_packet(AVFormatContext *s, AVPacket *pkt)
len = put_bits_count(&bs) >> 3;
+ if (len > 0x1fff)
+ goto too_large;
+
loas_header[1] |= (len >> 8) & 0x1f;
loas_header[2] |= len & 0xff;
@@ -182,6 +187,11 @@ static int latm_write_packet(AVFormatContext *s, AVPacket *pkt)
av_free(buf);
return 0;
+
+too_large:
+ av_log(s, AV_LOG_ERROR, "LATM packet size larger than maximum size 0x1fff\n");
+ av_free(buf);
+ return AVERROR_INVALIDDATA;
}
AVOutputFormat ff_latm_muxer = {
More information about the ffmpeg-cvslog
mailing list