[FFmpeg-devel] [PATCH 5/9] nistspheredec: prevent overflow during block alignment calculation

Thu Jan 26 03:12:45 EET 2017

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
---
 libavformat/nistspheredec.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/libavformat/nistspheredec.c b/libavformat/nistspheredec.c
index 782d1dfbfb..3386497682 100644
--- a/libavformat/nistspheredec.c
+++ b/libavformat/nistspheredec.c
@@ -21,6 +21,7 @@
 
 #include "libavutil/avstring.h"
 #include "libavutil/intreadwrite.h"
+#include "libavcodec/internal.h"
 #include "avformat.h"
 #include "internal.h"
 #include "pcm.h"
@@ -90,6 +91,11 @@ static int nist_read_header(AVFormatContext *s)
             return 0;
         } else if (!memcmp(buffer, "channel_count", 13)) {
             sscanf(buffer, "%*s %*s %"SCNd32, &st->codecpar->channels);
+            if (st->codecpar->channels > FF_SANE_NB_CHANNELS) {
+                av_log(s, AV_LOG_ERROR, "Too many channels %d > %d\n",
+                       st->codecpar->channels, FF_SANE_NB_CHANNELS);
+                return AVERROR(ENOSYS);
+            }
         } else if (!memcmp(buffer, "sample_byte_format", 18)) {
             sscanf(buffer, "%*s %*s %31s", format);
 
@@ -109,6 +115,11 @@ static int nist_read_header(AVFormatContext *s)
             sscanf(buffer, "%*s %*s %"SCNd64, &st->duration);
         } else if (!memcmp(buffer, "sample_n_bytes", 14)) {
             sscanf(buffer, "%*s %*s %"SCNd32, &bps);
+            if (bps > (INT_MAX / FF_SANE_NB_CHANNELS) >> 3) {
+                av_log(s, AV_LOG_ERROR, "Too many bytes per sample %d > %d\n",
+                       bps, (INT_MAX / FF_SANE_NB_CHANNELS) >> 3);
+                return AVERROR_INVALIDDATA;
+            }
         } else if (!memcmp(buffer, "sample_rate", 11)) {
             sscanf(buffer, "%*s %*s %"SCNd32, &st->codecpar->sample_rate);
         } else if (!memcmp(buffer, "sample_sig_bits", 15)) {
-- 
2.11.0

