[FFmpeg-devel] [PATCH] alsdec: validate time diff index

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Sat Apr 18 18:58:30 CEST 2015


If begin is smaller than t, the subtraction 'begin -= t' wraps around,
because begin is unsigned. The same applies for end < t.

This causes segmentation faults.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
---
 libavcodec/alsdec.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index f85f1e8..ff6b6cf 100644
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -1290,8 +1290,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
 
             if (ch[dep].time_diff_sign) {
                 t      = -t;
+                if (begin < t) {
+                    av_log(ctx->avctx, AV_LOG_ERROR, "begin %u smaller than time diff index %d.\n", begin, t);
+                    return AVERROR_INVALIDDATA;
+                }
                 begin -= t;
             } else {
+                if (end < t) {
+                    av_log(ctx->avctx, AV_LOG_ERROR, "end %u smaller than time diff index %d.\n", end, t);
+                    return AVERROR_INVALIDDATA;
+                }
                 end   -= t;
             }
 
-- 
2.1.4


More information about the ffmpeg-devel mailing list