From fe8bc7d1ee098de7f6da4d841a651773370ca454 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 20:17:47 +0300 Subject: [PATCH 01/15] mov: Don't use a negative duration for setting other fields MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Some files have the duration set to -1 in the mdhd atom, more or less legitimately. (We produce such files ourselves, for the initial duration in fragmented mp4 files.) Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 7f8d41eb097e8d4223c9caf97dd332a2fdb29d52) Signed-off-by: Luca Barbato --- libavformat/mov.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f6529340a3..2ae19c9358 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2063,7 +2063,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) ((double)st->codec->width * sc->height), INT_MAX); } - if (st->duration != AV_NOPTS_VALUE) + if (st->duration != AV_NOPTS_VALUE && st->duration > 0) av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, sc->time_scale*st->nb_frames, st->duration, INT_MAX); @@ -2805,7 +2805,7 @@ static int mov_read_header(AVFormatContext *s) for (i = 0; i < s->nb_streams; i++) { AVStream *st = s->streams[i]; MOVStreamContext *sc = st->priv_data; - if (st->duration) + if (st->duration > 0) st->codec->bit_rate = sc->data_size * 8 * sc->time_scale / st->duration; } } From 38bd229af9c4fa5897fc1a69e73a04c55f78647f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 20:32:35 +0300 Subject: [PATCH 02/15] ivi_common: Make sure color planes have been initialized MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit a92538b7c0defc86c55fb91f55dfa36aad192673) Signed-off-by: Luca Barbato --- libavcodec/ivi_common.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 2a737547a5..152e9c4a55 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -938,6 +938,11 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, return AVERROR_PATCHWELCOME; } + if (!ctx->planes[0].bands) { + av_log(avctx, AV_LOG_ERROR, "Color planes not initialized yet\n"); + return AVERROR_INVALIDDATA; + } + ctx->switch_buffers(ctx); //{ START_TIMER; From c8c93795e4afd04c2c5b74e29e8dec29b6a76b81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 20:40:13 +0300 Subject: [PATCH 03/15] mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids a potential division by zero. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit f875a732e36786d49f3650e3235272891a820600) Signed-off-by: Luca Barbato --- libavcodec/mpeg4videodec.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index faa98668d9..7ff290c9e0 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -152,7 +152,7 @@ static inline int mpeg4_is_resync(MpegEncContext *s){ return 0; } -static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb) +static int mpeg4_decode_sprite_trajectory(MpegEncContext *s, GetBitContext *gb) { int i; int a= 2<sprite_warping_accuracy; @@ -168,6 +168,9 @@ static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb int h= s->height; int min_ab; + if (w <= 0 || h <= 0) + return AVERROR_INVALIDDATA; + for(i=0; inum_sprite_warping_points; i++){ int length; int x=0, y=0; @@ -340,6 +343,7 @@ static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb } s->real_sprite_warping_points= s->num_sprite_warping_points; } + return 0; } /** @@ -414,7 +418,8 @@ int ff_mpeg4_decode_video_packet_header(MpegEncContext *s) skip_bits(&s->gb, 3); /* intra dc vlc threshold */ //FIXME don't just ignore everything if(s->pict_type == AV_PICTURE_TYPE_S && s->vol_sprite_usage==GMC_SPRITE){ - mpeg4_decode_sprite_trajectory(s, &s->gb); + if (mpeg4_decode_sprite_trajectory(s, &s->gb) < 0) + return AVERROR_INVALIDDATA; av_log(s->avctx, AV_LOG_ERROR, "untested\n"); } @@ -2029,7 +2034,8 @@ static int decode_vop_header(MpegEncContext *s, GetBitContext *gb){ } if(s->pict_type == AV_PICTURE_TYPE_S && (s->vol_sprite_usage==STATIC_SPRITE || s->vol_sprite_usage==GMC_SPRITE)){ - mpeg4_decode_sprite_trajectory(s, gb); + if (mpeg4_decode_sprite_trajectory(s, gb) < 0) + return AVERROR_INVALIDDATA; if(s->sprite_brightness_change) av_log(s->avctx, AV_LOG_ERROR, "sprite_brightness_change not supported\n"); if(s->vol_sprite_usage==STATIC_SPRITE) av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); } From 2e12af4587613dd5b2c3431e5c8194d73b03434f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 21:07:30 +0300 Subject: [PATCH 04/15] eacmv: Make sure a reference frame exists before referencing it MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is similar to an existing check for the second-last frame from 062421e3. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit ea78a348d86a3a733f6c1e0a65cfdd8283d924b9) Signed-off-by: Luca Barbato Conflicts: libavcodec/eacmv.c --- libavcodec/eacmv.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c index 0dce066f1e..b7e13b1114 100644 --- a/libavcodec/eacmv.c +++ b/libavcodec/eacmv.c @@ -108,9 +108,10 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t * }else{ /* inter using last frame as reference */ int xoffset = (buf[i] & 0xF) - 7; int yoffset = ((buf[i] >> 4)) - 7; - cmv_motcomp(s->frame.data[0], s->frame.linesize[0], - s->last_frame.data[0], s->last_frame.linesize[0], - x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height); + if (s->last_frame.data[0]) + cmv_motcomp(s->frame.data[0], s->frame.linesize[0], + s->last_frame.data[0], s->last_frame.linesize[0], + x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height); } i++; } From eac1c3f384eab770d42468f4f244156c1735701d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 21:03:34 +0300 Subject: [PATCH 05/15] truemotion2: Use av_freep properly in an error path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit c39f7eba01cd656e8f0eed592f93d11814736650) Signed-off-by: Luca Barbato --- libavcodec/truemotion2.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 2d7a5102c2..7691989b40 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -905,14 +905,14 @@ static av_cold int decode_init(AVCodecContext *avctx){ if (!l->Y1_base || !l->Y2_base || !l->U1_base || !l->V1_base || !l->U2_base || !l->V2_base || !l->last || !l->clast) { - av_freep(l->Y1_base); - av_freep(l->Y2_base); - av_freep(l->U1_base); - av_freep(l->U2_base); - av_freep(l->V1_base); - av_freep(l->V2_base); - av_freep(l->last); - av_freep(l->clast); + av_freep(&l->Y1_base); + av_freep(&l->Y2_base); + av_freep(&l->U1_base); + av_freep(&l->U2_base); + av_freep(&l->V1_base); + av_freep(&l->V2_base); + av_freep(&l->last); + av_freep(&l->clast); return AVERROR(ENOMEM); } l->Y1 = l->Y1_base + l->y_stride * 4 + 4; From 3706c229920115f022876ef07b16217dce504db6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 21:46:50 +0300 Subject: [PATCH 06/15] ffv1: Make sure at least one slice context is initialized MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids crashes when initializing the range coder for the first slice context. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit b1db33159fdc2da4bdd8c75e4ff9a7dd0ef2f0c2) Signed-off-by: Luca Barbato --- libavcodec/ffv1.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index 682d111c0c..f6d9eaf276 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -194,6 +194,10 @@ av_cold int ffv1_init_slice_contexts(FFV1Context *f) int i; f->slice_count = f->num_h_slices * f->num_v_slices; + if (f->slice_count <= 0) { + av_log(f->avctx, AV_LOG_ERROR, "Invalid number of slices\n"); + return AVERROR(EINVAL); + } for (i = 0; i < f->slice_count; i++) { FFV1Context *fs = av_mallocz(sizeof(*fs)); From 00516b5491fbd99e4057f21eae231fc02cc596e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 21:27:49 +0300 Subject: [PATCH 07/15] xmv: Add more sanity checks for parameters read from the bitstream MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since the number of channels is multiplied by 36 and assigned to to a uint16_t, make sure this calculation didn't overflow. (In certain cases the calculation could overflow leaving the truncated block_align at 0, leading to divisions by zero later.) Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit d4c2a3740fb95f952a87ba320d2bf31f126bdf68) Signed-off-by: Luca Barbato --- libavformat/xmv.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index d491dec8f6..201dc3ac72 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -43,6 +43,8 @@ XMV_AUDIO_ADPCM51_FRONTCENTERLOW | \ XMV_AUDIO_ADPCM51_REARLEFTRIGHT) +#define XMV_BLOCK_ALIGN_SIZE 36 + typedef struct XMVAudioTrack { uint16_t compression; uint16_t channels; @@ -207,7 +209,7 @@ static int xmv_read_header(AVFormatContext *s) track->bit_rate = track->bits_per_sample * track->sample_rate * track->channels; - track->block_align = 36 * track->channels; + track->block_align = XMV_BLOCK_ALIGN_SIZE * track->channels; track->block_samples = 64; track->codec_id = ff_wav_codec_get_id(track->compression, track->bits_per_sample); @@ -224,7 +226,8 @@ static int xmv_read_header(AVFormatContext *s) av_log(s, AV_LOG_WARNING, "Unsupported 5.1 ADPCM audio stream " "(0x%04X)\n", track->flags); - if (!track->channels || !track->sample_rate) { + if (!track->channels || !track->sample_rate || + track->channels >= UINT16_MAX / XMV_BLOCK_ALIGN_SIZE) { av_log(s, AV_LOG_ERROR, "Invalid parameters for audio track %d.\n", audio_track); ret = AVERROR_INVALIDDATA; From 0b0f1cd44ece180e12795cfc8d0a0ac5ea3ebe2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 15:40:57 +0300 Subject: [PATCH 08/15] rv10: Validate the dimensions set from the container MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 5372cda67109848d22146289e401669266217e80) Signed-off-by: Luca Barbato --- libavcodec/rv10.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 26af29ff26..04518dd21b 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -426,12 +426,15 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx) RVDecContext *rv = avctx->priv_data; MpegEncContext *s = &rv->m; static int done=0; - int major_ver, minor_ver, micro_ver; + int major_ver, minor_ver, micro_ver, ret; if (avctx->extradata_size < 8) { av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n"); return -1; } + if ((ret = av_image_check_size(avctx->coded_width, + avctx->coded_height, 0, avctx)) < 0) + return ret; ff_MPV_decode_defaults(s); From de75bc01cda53acfbd9f901639695ade8e650c43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 14:53:15 +0300 Subject: [PATCH 09/15] idroqdec: Make sure a video stream has been allocated before returning packets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit bcbe4f3ceb6ee0210d3a401963518906c8b9b230) Signed-off-by: Luca Barbato --- libavformat/idroqdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/idroqdec.c b/libavformat/idroqdec.c index eeaafec5aa..82eff24e94 100644 --- a/libavformat/idroqdec.c +++ b/libavformat/idroqdec.c @@ -142,6 +142,8 @@ static int roq_read_packet(AVFormatContext *s, break; case RoQ_QUAD_CODEBOOK: + if (roq->video_stream_index < 0) + return AVERROR_INVALIDDATA; /* packet needs to contain both this codebook and next VQ chunk */ codebook_offset = avio_tell(pb) - RoQ_CHUNK_PREAMBLE_SIZE; codebook_size = chunk_size; @@ -191,6 +193,11 @@ static int roq_read_packet(AVFormatContext *s, st->codec->block_align = st->codec->channels * st->codec->bits_per_coded_sample; } case RoQ_QUAD_VQ: + if (chunk_type == RoQ_QUAD_VQ) { + if (roq->video_stream_index < 0) + return AVERROR_INVALIDDATA; + } + /* load up the packet */ if (av_new_packet(pkt, chunk_size + RoQ_CHUNK_PREAMBLE_SIZE)) return AVERROR(EIO); From 5358f1b50753638628fa5b99afd4b7da20d62e22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 15:14:56 +0300 Subject: [PATCH 10/15] asvdec: Verify the amount of extradata MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The init function reads one byte of extradata. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit f50803354c6acb4575379d7c54ca48ec5d36dd61) Signed-off-by: Luca Barbato --- libavcodec/asvdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/asvdec.c b/libavcodec/asvdec.c index 16722a9192..d3579dea4c 100644 --- a/libavcodec/asvdec.c +++ b/libavcodec/asvdec.c @@ -285,6 +285,11 @@ static av_cold int decode_init(AVCodecContext *avctx) const int scale = avctx->codec_id == AV_CODEC_ID_ASV1 ? 1 : 2; int i; + if (avctx->extradata_size < 1) { + av_log(avctx, AV_LOG_ERROR, "No extradata provided\n"); + return AVERROR_INVALIDDATA; + } + ff_asv_common_init(avctx); init_vlcs(a); ff_init_scantable(a->dsp.idct_permutation, &a->scantable, ff_asv_scantab); From bacf5db1962a6955ce80eea6bbc86c6970d7d360 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 15:32:02 +0300 Subject: [PATCH 11/15] mpegaudiodec: Validate that the number of channels fits at the given offset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is similar to the fix in 35cbc98b. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit e9d61de96c113ee0ef8082833c7e682df0e23eec) Signed-off-by: Luca Barbato --- libavcodec/mpegaudiodec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c index fda0280b44..bd096df26a 100644 --- a/libavcodec/mpegaudiodec.c +++ b/libavcodec/mpegaudiodec.c @@ -1936,7 +1936,8 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data, avpriv_mpegaudio_decode_header((MPADecodeHeader *)m, header); - if (ch + m->nb_channels > avctx->channels) { + if (ch + m->nb_channels > avctx->channels || + s->coff[fr] + m->nb_channels > avctx->channels) { av_log(avctx, AV_LOG_ERROR, "frame channel count exceeds codec " "channel count\n"); return AVERROR_INVALIDDATA; From 4d90550cf95eac0451465116d6e53bac37b96927 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 15:53:31 +0300 Subject: [PATCH 12/15] qpeg: Add checks for running out of rows in qpeg_decode_inter MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 7a5a55722749a3ab77941914707277b147322cbe) Signed-off-by: Luca Barbato --- libavcodec/qpeg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index 4a918e71ec..75e12234fe 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -190,6 +190,8 @@ static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, filled = 0; dst -= stride; height--; + if (height < 0) + break; } } } else if(code >= 0xC0) { /* copy code: 0xC0..0xDF */ @@ -201,6 +203,8 @@ static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, filled = 0; dst -= stride; height--; + if (height < 0) + break; } } } else if(code >= 0x80) { /* skip code: 0x80..0xBF */ From 5379c5184b9fe9ef06234638f5629d4c80056e04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 16:02:29 +0300 Subject: [PATCH 13/15] segafilm: Validate the number of audio channels MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids divisions by zero later. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 82e266c6d3fbf3cc74e515b883e66543381a0f2c) Signed-off-by: Luca Barbato --- libavformat/segafilm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index adf24759c6..5643f33cc8 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -111,6 +111,11 @@ static int film_read_header(AVFormatContext *s) return AVERROR(EIO); film->audio_samplerate = AV_RB16(&scratch[24]); film->audio_channels = scratch[21]; + if (!film->audio_channels || film->audio_channels > 2) { + av_log(s, AV_LOG_ERROR, + "Invalid number of channels: %d\n", film->audio_channels); + return AVERROR_INVALIDDATA; + } film->audio_bits = scratch[22]; if (scratch[23] == 2) film->audio_type = AV_CODEC_ID_ADPCM_ADX; From 78dc022f6f8a8b87773a209e0fcbea2d5b48396f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 16:55:13 +0300 Subject: [PATCH 14/15] wtv: Add more sanity checks for a length read from the file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also make sure the existing length check can't overflow. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 83c285f88016b087c2f0f4b9ef356ad8ef12d947) Signed-off-by: Luca Barbato --- libavformat/wtv.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/wtv.c b/libavformat/wtv.c index 1811e4645c..7f029ff369 100644 --- a/libavformat/wtv.c +++ b/libavformat/wtv.c @@ -274,7 +274,12 @@ static AVIOContext * wtvfile_open2(AVFormatContext *s, const uint8_t *buf, int b dir_length = AV_RL16(buf + 16); file_length = AV_RL64(buf + 24); name_size = 2 * AV_RL32(buf + 32); - if (buf + 48 + name_size > buf_end) { + if (name_size < 0) { + av_log(s, AV_LOG_ERROR, + "bad filename length, remaining directory entries ignored\n"); + break; + } + if (48 + name_size > buf_end - buf) { av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n"); break; } From ce1dacb435460dda1f9d453eaaeac44bd502aca4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 16:57:47 +0300 Subject: [PATCH 15/15] rl2: Avoid a division by zero MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 3ca14aa5964ea5d11f7a15f9fff17924d6096d44) Signed-off-by: Luca Barbato --- libavformat/rl2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/rl2.c b/libavformat/rl2.c index ac0532f1c9..ab33aabccc 100644 --- a/libavformat/rl2.c +++ b/libavformat/rl2.c @@ -107,6 +107,10 @@ static av_cold int rl2_read_header(AVFormatContext *s) rate = avio_rl16(pb); channels = avio_rl16(pb); def_sound_size = avio_rl16(pb); + if (!channels || channels > 42) { + av_log(s, AV_LOG_ERROR, "Invalid number of channels: %d\n", channels); + return AVERROR_INVALIDDATA; + } /** setup video stream */ st = avformat_new_stream(s, NULL);