[FFmpeg-cvslog] avcodec/speexdec: further check for sane frame_size values
James Almer
git at videolan.org
Sat Feb 17 14:51:32 EET 2024
ffmpeg | branch: master | James Almer <jamrial at gmail.com> | Sat Feb 17 09:45:57 2024 -0300| [0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c] | committer: James Almer
avcodec/speexdec: further check for sane frame_size values
Prevent potential integer overflows.
Signed-off-by: James Almer <jamrial at gmail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c
---
libavcodec/speexdec.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c
index 4d8052d585..ba0df687de 100644
--- a/libavcodec/speexdec.c
+++ b/libavcodec/speexdec.c
@@ -1421,9 +1421,10 @@ static int parse_speex_extradata(AVCodecContext *avctx,
return AVERROR_INVALIDDATA;
s->bitrate = bytestream_get_le32(&buf);
s->frame_size = bytestream_get_le32(&buf);
- if (s->frame_size < NB_FRAME_SIZE << (s->mode > 0))
+ if (s->frame_size < NB_FRAME_SIZE << (s->mode > 0) ||
+ s->frame_size > INT32_MAX >> (s->mode > 0))
return AVERROR_INVALIDDATA;
- s->frame_size *= 1 + (s->mode > 0);
+ s->frame_size <<= (s->mode > 0);
s->vbr = bytestream_get_le32(&buf);
s->frames_per_packet = bytestream_get_le32(&buf);
if (s->frames_per_packet <= 0 ||
More information about the ffmpeg-cvslog
mailing list