[MPlayer-cvslog] r37588 - trunk/libmpcodecs/dec_audio.c
rtogni
subversion at mplayerhq.hu
Wed Jan 6 21:46:52 CET 2016
Author: rtogni
Date: Wed Jan 6 21:46:51 2016
New Revision: 37588
Log:
Sanitize audio parameters and prevent int32 overflow while calculating the
size of the codec ouput buffer.
Fixes a crash with a fuzzed file reported by Gustavo Grieco:
SIGFPE.PC.5555556a0dbe.STACK.dfef6ed0e.CODE.1.ADDR.0x5555556a0dbe.INSTR.idivl__0xc(%r12).fuzz
SIGSEGV.PC.7ffff4637ff9.STACK.1970f0787e.CODE.1.ADDR.(nil).INSTR.movdqu_%xmm8,(%rdi).fuzz
SIGSEGV.PC.7ffff463814e.STACK.1970f0787e.CODE.1.ADDR.(nil).INSTR.movdqu_%xmm8,(%rdi,%rcx,1).fuzz
Modified:
trunk/libmpcodecs/dec_audio.c
Modified: trunk/libmpcodecs/dec_audio.c
==============================================================================
--- trunk/libmpcodecs/dec_audio.c Mon Jan 4 21:16:53 2016 (r37587)
+++ trunk/libmpcodecs/dec_audio.c Wed Jan 6 21:46:51 2016 (r37588)
@@ -118,6 +118,14 @@ static int init_audio_codec(sh_audio_t *
return 0;
}
+ if (sh_audio->channels < 0 || sh_audio->samplerate < 0 || sh_audio->samplesize < 0 ||
+ (int64_t)sh_audio->channels * sh_audio->samplerate > INT_MAX ||
+ (int64_t)sh_audio->channels * sh_audio->samplerate * sh_audio->samplesize > INT_MAX) {
+ mp_msg(MSGT_DECAUDIO, MSGL_WARN, "dec_audio: Unreasonable audio codec parameters\n");
+ uninit_audio(sh_audio); // free buffers
+ return 0;
+ }
+
if (!sh_audio->o_bps)
sh_audio->o_bps = sh_audio->channels * sh_audio->samplerate
* sh_audio->samplesize;
More information about the MPlayer-cvslog
mailing list