]> git.sesse.net Git - ffmpeg/commitdiff
projects / ffmpeg / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 02bbb37)
avformat/smacker: Check audio frame size
authorAndreas Rheinhardt <andreas.rheinhardt@gmail.com>
Tue, 23 Jun 2020 12:05:17 +0000 (14:05 +0200)
committerAndreas Rheinhardt <andreas.rheinhardt@gmail.com>
Sat, 4 Jul 2020 17:19:34 +0000 (19:19 +0200)
The first four bytes of smacker audio are supposed to contain the number
of samples, so treat audio frames smaller than that as invalid.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
libavformat/smacker.c patch | blob | history

diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index 787c5d8972f66667ff2101c14ee4eaa9ad6e3865..c803ecbec9043b48351aaea4c988001ab2de86e7 100644 (file)
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -307,14 +307,14 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
             if(flags & 1) {
                 uint32_t size;
 
-                size = avio_rl32(s->pb) - 4;
-                if (!size || size + 4LL > frame_size) {
+                size = avio_rl32(s->pb);
+                if ((int)size < 8 || size > frame_size) {
                     av_log(s, AV_LOG_ERROR, "Invalid audio part size\n");
                     ret = AVERROR_INVALIDDATA;
                     goto next_frame;
                 }
                 frame_size -= size;
-                frame_size -= 4;
+                size       -= 4;
                 if ((ret = av_reallocp(&smk->bufs[smk->curstream], size)) < 0) {
                     smk->buf_sizes[smk->curstream] = 0;
                     goto next_frame;
Unnamed repository; edit this file 'description' to name the repository.