Mercurial > libavcodec.hg

diff tta.c @ 3303:68721b62a528 libavcodec

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
sanity checks, some might have been exploitable ...
author michael
date Sat, 13 May 2006 10:45:26 +0000
parents 27e1b9632715
children 84c509024ee9
line wrap: on
line diff
--- a/tta.c	Thu May 11 23:17:23 2006 +0000
+++ b/tta.c	Sat May 13 10:45:26 2006 +0000
@@ -238,6 +238,10 @@
         avctx->bits_per_sample = get_le16(&s->gb);
         s->bps = (avctx->bits_per_sample + 7) / 8;
         avctx->sample_rate = get_le32(&s->gb);
+        if(avctx->sample_rate > 1000000){ //prevent FRAME_TIME * avctx->sample_rate from overflowing and sanity check
+            av_log(avctx, AV_LOG_ERROR, "sample_rate too large\n");
+            return -1;
+        }
         s->data_length = get_le32(&s->gb);
         skip_bits(&s->gb, 32); // CRC32 of header
 
@@ -276,6 +280,11 @@
             skip_bits(&s->gb, 32);
         skip_bits(&s->gb, 32); // CRC32 of seektable
 
+        if(s->frame_length >= UINT_MAX / (s->channels * sizeof(int32_t))){
+            av_log(avctx, AV_LOG_ERROR, "frame_length too large\n");
+            return -1;
+        }
+
         s->decode_buffer = av_mallocz(sizeof(int32_t)*s->frame_length*s->channels);
     } else {
         av_log(avctx, AV_LOG_ERROR, "Wrong extradata present\n");