[FFmpeg-devel] [PATCH] latmenc: validate extradata size.

[Michael Niedermayer]

On Tue, Apr 10, 2012 at 09:53:47PM +0200, Reimar Döffinger wrote:
> Fixes potential out-of-bounds writes.
> This is mostly possible when muxing ALS files where from
> an extradata size of about 1050 put_bits would write data
> outside the buffer.
> 
> Signed-off-by: Reimar Döffinger <Reimar.Doeffinger at gmx.de>
> ---
>  libavformat/latmenc.c |   10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/libavformat/latmenc.c b/libavformat/latmenc.c
> index 1722eb5..0080746 100644
> --- a/libavformat/latmenc.c
> +++ b/libavformat/latmenc.c
> @@ -49,10 +49,16 @@ static const AVClass latm_muxer_class = {
>      .version    = LIBAVUTIL_VERSION_INT,
>  };
>  
> +#define MAX_EXTRADATA_SIZE 1024
> +
>  static int latm_decode_extradata(LATMContext *ctx, uint8_t *buf, int size)
>  {
>      MPEG4AudioConfig m4ac;
>  
> +    if (size > MAX_EXTRADATA_SIZE) {
> +        av_log(ctx, AV_LOG_ERROR, "Extradata is larger than currently supported.\n");
> +        return AVERROR_INVALIDDATA;
> +    }
>      ctx->off = avpriv_mpeg4audio_get_config(&m4ac, buf, size * 8, 1);
>      if (ctx->off < 0)
>          return ctx->off;

not sure its best to just check it here but better here than nowhere

also, if kieran wants to maintain latmenc i would be very happy about
that. As author he also should be able to provide higher quality
reviews than i could ...
(patch for MAINTAINERs file is welcome ...)

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Concerning the gods, I have no means of knowing whether they exist or not
or of what sort they may be, because of the obscurity of the subject, and
the brevity of human life -- Protagoras
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20120411/5f447610/attachment.asc>