[FFmpeg-devel] [PATCH] aiffdec: fix division by zero
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Mon Oct 17 17:17:35 EEST 2016
On 17.10.2016 05:43, Michael Niedermayer wrote:
> On Sun, Oct 16, 2016 at 10:38:42PM +0200, Andreas Cadhalpun wrote:
>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
>> ---
>> libavformat/aiffdec.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c
>> index cd916f9..de82787 100644
>> --- a/libavformat/aiffdec.c
>> +++ b/libavformat/aiffdec.c
>> @@ -380,7 +380,7 @@ static int aiff_read_packet(AVFormatContext *s,
>> size = st->codecpar->block_align;
>> break;
>> default:
>> - size = (MAX_SIZE / st->codecpar->block_align) * st->codecpar->block_align;
>> + size = st->codecpar->block_align ? (MAX_SIZE / st->codecpar->block_align) * st->codecpar->block_align : MAX_SIZE;
>
> how do you reach block_align == 0 ?
> aiff_read_header() checks for block_align == 0
I'm not aware of a way to reproduce this with the ffmpeg binary, however
an API user (e.g. my fuzz-testing-program) can change codecpar->codec_type
and codecpar->codec_id to force decoding a stream with a particular codec.
However, avcodec_parameters_from_context sets codecpar->block_align to 0
for AVMEDIA_TYPE_VIDEO thus causing the subsequent crash.
It's similar for the other two division by zero patches.
So an alternative approach would be to set all parameter fields from the codec
in avcodec_parameters_from_context, but I prefer making the code more robust.
Best regards,
Andreas
More information about the ffmpeg-devel
mailing list