Reject audio tracks with invalid interleaver parameters in RM demuxer.

[ffmpeg] / libavformat / rmdec.c

diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index 14880fe7552066fcc92d594190fcb1f31ecc660c..4d1e75aa40afd91fc998f5ea50405add01007f7c 100644 (file)
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -215,8 +215,9 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb,
             ast->audio_framesize = st->codec->block_align;
             st->codec->block_align = coded_framesize;
 
-            if(ast->audio_framesize >= UINT_MAX / sub_packet_h){
-                av_log(s, AV_LOG_ERROR, "ast->audio_framesize * sub_packet_h too large\n");
+            if (ast->audio_framesize <= 0 || sub_packet_h <= 0 ||
+                ast->audio_framesize >= UINT_MAX / sub_packet_h){
+                av_log(s, AV_LOG_ERROR, "ast->audio_framesize * sub_packet_h is invalid\n");
                 return -1;
             }
 
@@ -252,8 +253,9 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb,
             if ((ret = rm_read_extradata(pb, st->codec, codecdata_length)) < 0)
                 return ret;
 
-            if(ast->audio_framesize >= UINT_MAX / sub_packet_h){
-                av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h too large\n");
+            if (ast->audio_framesize <= 0 || sub_packet_h <= 0 ||
+                ast->audio_framesize >= UINT_MAX / sub_packet_h){
+                av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h is invalid\n");
                 return -1;
             }
 
@@ -919,7 +921,9 @@ static int64_t rm_read_dts(AVFormatContext *s, int stream_index,
     if(rm->old_format)
         return AV_NOPTS_VALUE;
 
-    avio_seek(s->pb, pos, SEEK_SET);
+    if (avio_seek(s->pb, pos, SEEK_SET) < 0)
+        return AV_NOPTS_VALUE;
+
     rm->remaining_len=0;
     for(;;){
         int seq=1;