[FFmpeg-cvslog] Check mp3 header before calling avpriv_mpegaudio_decode_header().

[Justin Ruggles]

ffmpeg | branch: release/1.1 | Justin Ruggles <justin.ruggles at gmail.com> | Sun Jun 22 13:19:36 2014 -0400| [d7dbc687e312a91ef2ccf797d57b95c61d0e8a2f] | committer: Luca Barbato

Check mp3 header before calling avpriv_mpegaudio_decode_header().

As indicated in the function documentation, the header MUST be
checked prior to calling it because no consistency check is done
there.

CC:libav-stable at libav.org
(cherry picked from commit f2f2e7627f0c878d13275af5d166ec5932665e28)
Signed-off-by: Luca Barbato <lu_zero at gentoo.org>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d7dbc687e312a91ef2ccf797d57b95c61d0e8a2f
---

 libavcodec/libmp3lame.c |    8 +++++++-
 libavformat/mp3enc.c    |   17 ++++++++++-------
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/libavcodec/libmp3lame.c b/libavcodec/libmp3lame.c
index 2e501ca..5f6704d 100644
--- a/libavcodec/libmp3lame.c
+++ b/libavcodec/libmp3lame.c
@@ -190,6 +190,7 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
     MPADecodeHeader hdr;
     int len, ret, ch;
     int lame_result;
+    uint32_t h;
 
     if (frame) {
         switch (avctx->sample_fmt) {
@@ -245,7 +246,12 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
        determine the frame size. */
     if (s->buffer_index < 4)
         return 0;
-    if (avpriv_mpegaudio_decode_header(&hdr, AV_RB32(s->buffer))) {
+    h = AV_RB32(s->buffer);
+    if (ff_mpa_check_header(h) < 0) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid mp3 header at start of buffer\n");
+        return AVERROR_BUG;
+    }
+    if (avpriv_mpegaudio_decode_header(&hdr, h)) {
         av_log(avctx, AV_LOG_ERROR, "free format output not supported\n");
         return -1;
     }
diff --git a/libavformat/mp3enc.c b/libavformat/mp3enc.c
index e37abf5..631705c 100644
--- a/libavformat/mp3enc.c
+++ b/libavformat/mp3enc.c
@@ -251,13 +251,16 @@ static int mp3_write_audio_packet(AVFormatContext *s, AVPacket *pkt)
 
     if (mp3->xing_offset && pkt->size >= 4) {
         MPADecodeHeader c;
-
-        avpriv_mpegaudio_decode_header(&c, AV_RB32(pkt->data));
-
-        if (!mp3->initial_bitrate)
-            mp3->initial_bitrate = c.bit_rate;
-        if ((c.bit_rate == 0) || (mp3->initial_bitrate != c.bit_rate))
-            mp3->has_variable_bitrate = 1;
+        uint32_t h;
+
+        h = AV_RB32(pkt->data);
+        if (ff_mpa_check_header(h) == 0) {
+            avpriv_mpegaudio_decode_header(&c, h);
+            if (!mp3->initial_bitrate)
+                mp3->initial_bitrate = c.bit_rate;
+            if ((c.bit_rate == 0) || (mp3->initial_bitrate != c.bit_rate))
+                mp3->has_variable_bitrate = 1;
+        }
 
         mp3_xing_add_frame(mp3, pkt);
     }