# HG changeset patch
# User michael
# Date 1147517126 0
# Node ID 68721b62a528e13007d93ca0775141662292de69
# Parent  cb356bfc7e22b8739508bdf4a298724aed21387b
sanity checks, some might have been exploitable ...

diff -r cb356bfc7e22 -r 68721b62a528 4xm.c
--- a/4xm.c	Thu May 11 23:17:23 2006 +0000
+++ b/4xm.c	Sat May 13 10:45:26 2006 +0000
@@ -606,7 +606,7 @@
     int i, frame_4cc, frame_size;
 
     frame_4cc= get32(buf);
-    if(buf_size != get32(buf+4)+8){
+    if(buf_size != get32(buf+4)+8 || buf_size < 20){
         av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, get32(buf+4));
     }
 
@@ -634,6 +634,10 @@
         cfrm= &f->cfrm[i];
 
         cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE);
+        if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL
+            av_log(f->avctx, AV_LOG_ERROR, "realloc falure");
+            return -1;
+        }
 
         memcpy(cfrm->data + cfrm->size, buf+20, data_size);
         cfrm->size += data_size;
diff -r cb356bfc7e22 -r 68721b62a528 alac.c
--- a/alac.c	Thu May 11 23:17:23 2006 +0000
+++ b/alac.c	Sat May 13 10:45:26 2006 +0000
@@ -100,7 +100,7 @@
     alac->outputsamples_buffer_b = av_malloc(alac->setinfo_max_samples_per_frame * 4);
 }
 
-static void alac_set_info(ALACContext *alac)
+static int alac_set_info(ALACContext *alac)
 {
     unsigned char *ptr = alac->avctx->extradata;
 
@@ -108,6 +108,10 @@
     ptr += 4; /* alac */
     ptr += 4; /* 0 ? */
 
+    if(BE_32(ptr) >= UINT_MAX/4){
+        av_log(alac->avctx, AV_LOG_ERROR, "setinfo_max_samples_per_frame too large\n");
+        return -1;
+    }
     alac->setinfo_max_samples_per_frame = BE_32(ptr); /* buffer size / 2 ? */
     ptr += 4;
     alac->setinfo_7a = *ptr++;
@@ -126,6 +130,8 @@
     ptr += 4;
 
     allocate_buffers(alac);
+
+    return 0;
 }
 
 /* hideously inefficient. could use a bitmask search,
diff -r cb356bfc7e22 -r 68721b62a528 cook.c
--- a/cook.c	Thu May 11 23:17:23 2006 +0000
+++ b/cook.c	Sat May 13 10:45:26 2006 +0000
@@ -1253,6 +1253,10 @@
     if (init_cook_vlc_tables(q) != 0)
         return -1;
 
+
+    if(avctx->block_align >= UINT_MAX/2)
+        return -1;
+
     /* Pad the databuffer with FF_INPUT_BUFFER_PADDING_SIZE,
        this is for the bitstreamreader. */
     if ((q->decoded_bytes_buffer = av_mallocz((avctx->block_align+(4-avctx->block_align%4) + FF_INPUT_BUFFER_PADDING_SIZE)*sizeof(uint8_t)))  == NULL)
diff -r cb356bfc7e22 -r 68721b62a528 shorten.c
--- a/shorten.c	Thu May 11 23:17:23 2006 +0000
+++ b/shorten.c	Sat May 13 10:45:26 2006 +0000
@@ -106,18 +106,27 @@
     return 0;
 }
 
-static void allocate_buffers(ShortenContext *s)
+static int allocate_buffers(ShortenContext *s)
 {
     int i, chan;
     for (chan=0; chan<s->channels; chan++) {
+        if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){
+            av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n");
+            return -1;
+        }
+        if(s->blocksize + s->nwrap >= UINT_MAX/sizeof(int32_t) || s->blocksize + s->nwrap <= (unsigned)s->nwrap){
+            av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n");
+            return -1;
+        }
+
         s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));
 
         s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
         for (i=0; i<s->nwrap; i++)
             s->decoded[chan][i] = 0;
         s->decoded[chan] += s->nwrap;
-
     }
+    return 0;
 }
 
 
diff -r cb356bfc7e22 -r 68721b62a528 smacker.c
--- a/smacker.c	Thu May 11 23:17:23 2006 +0000
+++ b/smacker.c	Sat May 13 10:45:26 2006 +0000
@@ -177,6 +177,11 @@
     int escapes[3];
     DBCtx ctx;
 
+    if(size >= UINT_MAX>>4){ // (((size + 3) >> 2) + 3) << 2 must not overflow
+        av_log(smk->avctx, AV_LOG_ERROR, "size too large\n");
+        return -1;
+    }
+
     tmp1.length = 256;
     tmp1.maxlength = 0;
     tmp1.current = 0;
diff -r cb356bfc7e22 -r 68721b62a528 snow.c
--- a/snow.c	Thu May 11 23:17:23 2006 +0000
+++ b/snow.c	Sat May 13 10:45:26 2006 +0000
@@ -3712,7 +3712,7 @@
     s->mv_scale= get_symbol(&s->c, s->header_state, 0);
     s->qbias= get_symbol(&s->c, s->header_state, 1);
     s->block_max_depth= get_symbol(&s->c, s->header_state, 0);
-    if(s->block_max_depth > 1){
+    if(s->block_max_depth > 1 || s->block_max_depth < 0){
         av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large", s->block_max_depth);
         s->block_max_depth= 0;
         return -1;
diff -r cb356bfc7e22 -r 68721b62a528 tta.c
--- a/tta.c	Thu May 11 23:17:23 2006 +0000
+++ b/tta.c	Sat May 13 10:45:26 2006 +0000
@@ -238,6 +238,10 @@
         avctx->bits_per_sample = get_le16(&s->gb);
         s->bps = (avctx->bits_per_sample + 7) / 8;
         avctx->sample_rate = get_le32(&s->gb);
+        if(avctx->sample_rate > 1000000){ //prevent FRAME_TIME * avctx->sample_rate from overflowing and sanity check
+            av_log(avctx, AV_LOG_ERROR, "sample_rate too large\n");
+            return -1;
+        }
         s->data_length = get_le32(&s->gb);
         skip_bits(&s->gb, 32); // CRC32 of header
 
@@ -276,6 +280,11 @@
             skip_bits(&s->gb, 32);
         skip_bits(&s->gb, 32); // CRC32 of seektable
 
+        if(s->frame_length >= UINT_MAX / (s->channels * sizeof(int32_t))){
+            av_log(avctx, AV_LOG_ERROR, "frame_length too large\n");
+            return -1;
+        }
+
         s->decode_buffer = av_mallocz(sizeof(int32_t)*s->frame_length*s->channels);
     } else {
         av_log(avctx, AV_LOG_ERROR, "Wrong extradata present\n");