[FFmpeg-cvslog] avcodec/g722enc: Validate parameters before using them

Andreas Rheinhardt git at videolan.org
Mon Feb 8 14:50:36 EET 2021 

ffmpeg | branch: master | Andreas Rheinhardt <andreas.rheinhardt at gmail.com> | Fri Feb  5 12:23:49 2021 +0100| [8d21eccd267acfcde3d35bbbf6621d6c3282e1ea] | committer: Andreas Rheinhardt

avcodec/g722enc: Validate parameters before using them

In case trellis is outside of 0..23, an invalid shift and/or a signed
integer overflow happens; furthermore, it can lead to the request to
allocate nonsense amounts of memory. So validate first.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8d21eccd267acfcde3d35bbbf6621d6c3282e1ea
---

 libavcodec/g722enc.c | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/libavcodec/g722enc.c b/libavcodec/g722enc.c
index 9357f170fe..9e2ebf67c5 100644
--- a/libavcodec/g722enc.c
+++ b/libavcodec/g722enc.c
@@ -64,19 +64,6 @@ static av_cold int g722_encode_init(AVCodecContext * avctx)
     c->band[1].scale_factor = 2;
     c->prev_samples_pos = 22;
 
-    if (avctx->trellis) {
-        int frontier = 1 << avctx->trellis;
-        int max_paths = frontier * FREEZE_INTERVAL;
-        int i;
-        for (i = 0; i < 2; i++) {
-            c->paths[i] = av_mallocz_array(max_paths, sizeof(**c->paths));
-            c->node_buf[i] = av_mallocz_array(frontier, 2 * sizeof(**c->node_buf));
-            c->nodep_buf[i] = av_mallocz_array(frontier, 2 * sizeof(**c->nodep_buf));
-            if (!c->paths[i] || !c->node_buf[i] || !c->nodep_buf[i])
-                return AVERROR(ENOMEM);
-        }
-    }
-
     if (avctx->frame_size) {
         /* validate frame size */
         if (avctx->frame_size & 1 || avctx->frame_size > MAX_FRAME_SIZE) {
@@ -110,6 +97,18 @@ static av_cold int g722_encode_init(AVCodecContext * avctx)
                    avctx->trellis);
             avctx->trellis = new_trellis;
         }
+        if (avctx->trellis) {
+            int frontier = 1 << avctx->trellis;
+            int max_paths = frontier * FREEZE_INTERVAL;
+
+            for (int i = 0; i < 2; i++) {
+                c->paths[i]     = av_calloc(max_paths, sizeof(**c->paths));
+                c->node_buf[i]  = av_calloc(frontier, 2 * sizeof(**c->node_buf));
+                c->nodep_buf[i] = av_calloc(frontier, 2 * sizeof(**c->nodep_buf));
+                if (!c->paths[i] || !c->node_buf[i] || !c->nodep_buf[i])
+                    return AVERROR(ENOMEM);
+            }
+        }
     }
 
     ff_g722dsp_init(&c->dsp);

More information about the ffmpeg-cvslog mailing list