[FFmpeg-cvslog] tta: prevents overflows for 32bit integers in header.

Sun May 6 00:28:30 CEST 2012

ffmpeg | branch: release/0.10 | Ronald S. Bultje <rsbultje at gmail.com> | Thu Mar 29 12:44:55 2012 -0700| [0e4bb0530f7d4cb1343499ee2bf0cb943d3b9a41] | committer: Reinhard Tartler

tta: prevents overflows for 32bit integers in header.

This prevents sample_rate/data_length from going negative, which
caused various crashes and undefined behaviour further down.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit ac80b812cd177553339467ea12548d71c9ef6865)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0e4bb0530f7d4cb1343499ee2bf0cb943d3b9a41
---

 libavcodec/tta.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/libavcodec/tta.c b/libavcodec/tta.c
index 985bf0c..1743f7d 100644
--- a/libavcodec/tta.c
+++ b/libavcodec/tta.c
@@ -61,7 +61,8 @@ typedef struct TTAContext {
     GetBitContext gb;
     const AVCRC *crc_table;
 
-    int format, channels, bps, data_length;
+    int format, channels, bps;
+    unsigned data_length;
     int frame_length, last_frame_length, total_frames;
 
     int32_t *decode_buffer;
@@ -265,7 +266,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx)
         }
 
         // prevent overflow
-        if (avctx->sample_rate > 0x7FFFFF) {
+        if (avctx->sample_rate > 0x7FFFFFu) {
             av_log(avctx, AV_LOG_ERROR, "sample_rate too large\n");
             return AVERROR(EINVAL);
         }
@@ -282,7 +283,8 @@ static av_cold int tta_decode_init(AVCodecContext * avctx)
             s->data_length, s->frame_length, s->last_frame_length, s->total_frames);
 
         // FIXME: seek table
-        if (get_bits_left(&s->gb) < 32 * s->total_frames + 32)
+        if (avctx->extradata_size <= 26 || s->total_frames > INT_MAX / 4 ||
+            avctx->extradata_size - 26 < s->total_frames * 4)
             av_log(avctx, AV_LOG_WARNING, "Seek table missing or too small\n");
         else if (avctx->err_recognition & AV_EF_CRCCHECK) {
             if (tta_check_crc(s, avctx->extradata + 22, s->total_frames * 4))

