[FFmpeg-devel] [PATCH 2/2] avformat/wavdec: check sample count validity

Michael Niedermayer michael at niedermayer.cc
Thu Jul 30 23:46:43 CEST 2015 

On Thu, Jul 30, 2015 at 04:06:54PM -0400, Ganesh Ajjanagadde wrote:
> Can be used to fix Ticket4577
> 
> Signed-off-by: Ganesh Ajjanagadde <gajjanagadde at gmail.com>
> ---
>  libavformat/wavdec.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c
> index 1803b5c..ba70da6 100644
> --- a/libavformat/wavdec.c
> +++ b/libavformat/wavdec.c
> @@ -434,8 +434,13 @@ break_loop:
>          data_size = 0;
>      }
>  
> -    if (   data_size > 0 && sample_count && st->codec->channels
> -        && (data_size << 3) / sample_count / st->codec->channels > st->codec->bits_per_coded_sample) {
> +    if (st->codec->channels && sample_count > (INT64_MAX/st->codec->channels)) {
> +        av_log(s, AV_LOG_WARNING, "Sample count %"PRId64" is too large\n", sample_count);
> +        sample_count = 0;
> +    }
> +

> +    if (data_size > 0 && st->codec->bit_rate > 0 && sample_count && st->codec->sample_rate
> +        && (data_size << 3) / st->codec->bit_rate > (sample_count * st->codec->channels) / (st->codec->sample_rate)) {
>          av_log(s, AV_LOG_WARNING, "ignoring wrong sample_count %"PRId64"\n", sample_count);
>          sample_count = 0;

this condition triggers even with many ffmpeg generated files
(you can add a abort() and run "make fate" to see the failures)

To write a heuristic like this its needed to test it against a few
files first.
Using a hard == or >= check on the bitrate from the header will not
work. bitrates can vary throughout the file and the header value may
or may ot be the average.
Using the bitrate in a test would be more complex
i should have been more clear but what i suggested previously where
more a bunch of ideas that a list of things that i tested and that
will work without adjustment

using the G729 specific bit_rate limits is likely going to work and
would be easy to do
but is not the most generic solution.



[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Breaking DRM is a little like attempting to break through a door even
though the window is wide open and the only thing in the house is a bunch
of things you dont want and which you would get tomorrow for free anyway
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150730/fab1c663/attachment.sig>

More information about the ffmpeg-devel mailing list