[FFmpeg-cvslog] avformat/oggparsespeex: Check frames_per_packet and packet_size

Michael Niedermayer git at videolan.org
Sun Dec 4 02:58:12 EET 2016


ffmpeg | branch: release/2.8 | Michael Niedermayer <michael at niedermayer.cc> | Sat Dec  3 03:40:55 2016 +0100| [f202fefdb0ac86eb2b0e88f11bb63b7f9d2e2bc1] | committer: Michael Niedermayer

avformat/oggparsespeex: Check frames_per_packet and packet_size

The speex specification does not seem to restrict these values, thus
the limits where choosen so as to avoid multiplicative overflow

Fixes undefined behavior
Fixes: 635422.ogg

Found-by: Matt Wolenetz <wolenetz at google.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit afcf15b0dbb4b6429be5083e50b296cdca61875e)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f202fefdb0ac86eb2b0e88f11bb63b7f9d2e2bc1
---

 libavformat/oggparsespeex.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavformat/oggparsespeex.c b/libavformat/oggparsespeex.c
index 9b5c65f..55bf72b 100644
--- a/libavformat/oggparsespeex.c
+++ b/libavformat/oggparsespeex.c
@@ -74,6 +74,13 @@ static int speex_header(AVFormatContext *s, int idx) {
 
         spxp->packet_size  = AV_RL32(p + 56);
         frames_per_packet  = AV_RL32(p + 64);
+        if (spxp->packet_size < 0 ||
+            frames_per_packet < 0 ||
+            spxp->packet_size * (int64_t)frames_per_packet > INT32_MAX / 256) {
+            av_log(s, AV_LOG_ERROR, "invalid packet_size, frames_per_packet %d %d\n", spxp->packet_size, frames_per_packet);
+            spxp->packet_size = 0;
+            return AVERROR_INVALIDDATA;
+        }
         if (frames_per_packet)
             spxp->packet_size *= frames_per_packet;
 



More information about the ffmpeg-cvslog mailing list