summaryrefslogtreecommitdiff
path: root/libavformat/rm.c
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2006-05-13 11:37:56 +0000
committerMichael Niedermayer <michaelni@gmx.at>2006-05-13 11:37:56 +0000
commita443a2530d00b7019269202ac0f5ca8ba0a021c7 (patch)
tree9dfe3c9388c09a10ef32b64a871d3dac45495cb5 /libavformat/rm.c
parent3a1a7e32ace7af47de74e8ae779cb4e04c89aa97 (diff)
downloadffmpeg-a443a2530d00b7019269202ac0f5ca8ba0a021c7.tar.gz
sanity checks some might have been exploitable
Originally committed as revision 5370 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavformat/rm.c')
-rw-r--r--libavformat/rm.c23
1 files changed, 23 insertions, 0 deletions
diff --git a/libavformat/rm.c b/libavformat/rm.c
index c9c1b2aaa4..f195aa3d1d 100644
--- a/libavformat/rm.c
+++ b/libavformat/rm.c
@@ -555,6 +555,12 @@ static void rm_read_audio_stream_info(AVFormatContext *s, AVStream *st,
st->codec->extradata_size= 0;
rm->audio_framesize = st->codec->block_align;
st->codec->block_align = coded_framesize;
+
+ if(rm->audio_framesize >= UINT_MAX / sub_packet_h){
+ av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h too large\n");
+ return -1;
+ }
+
rm->audiobuf = av_malloc(rm->audio_framesize * sub_packet_h);
} else if (!strcmp(buf, "cook")) {
int codecdata_length, i;
@@ -562,6 +568,11 @@ static void rm_read_audio_stream_info(AVFormatContext *s, AVStream *st,
if (((version >> 16) & 0xff) == 5)
get_byte(pb);
codecdata_length = get_be32(pb);
+ if(codecdata_length + FF_INPUT_BUFFER_PADDING_SIZE <= (unsigned)codecdata_length){
+ av_log(s, AV_LOG_ERROR, "codecdata_length too large\n");
+ return -1;
+ }
+
st->codec->codec_id = CODEC_ID_COOK;
st->codec->extradata_size= codecdata_length;
st->codec->extradata= av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
@@ -569,6 +580,12 @@ static void rm_read_audio_stream_info(AVFormatContext *s, AVStream *st,
((uint8_t*)st->codec->extradata)[i] = get_byte(pb);
rm->audio_framesize = st->codec->block_align;
st->codec->block_align = rm->sub_packet_size;
+
+ if(rm->audio_framesize >= UINT_MAX / sub_packet_h){
+ av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h too large\n");
+ return -1;
+ }
+
rm->audiobuf = av_malloc(rm->audio_framesize * sub_packet_h);
} else {
st->codec->codec_id = CODEC_ID_NONE;
@@ -715,6 +732,12 @@ static int rm_read_header(AVFormatContext *s, AVFormatParameters *ap)
get_be16(pb);
st->codec->extradata_size= codec_data_size - (url_ftell(pb) - codec_pos);
+
+ if(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE <= (unsigned)st->codec->extradata_size){
+ //check is redundant as get_buffer() will catch this
+ av_log(s, AV_LOG_ERROR, "st->codec->extradata_size too large\n");
+ return -1;
+ }
st->codec->extradata= av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
get_buffer(pb, st->codec->extradata, st->codec->extradata_size);