[MPlayer-cvslog] r37588 - trunk/libmpcodecs/dec_audio.c

rtogni subversion at mplayerhq.hu
Wed Jan 6 21:46:52 CET 2016


Author: rtogni
Date: Wed Jan  6 21:46:51 2016
New Revision: 37588

Log:
Sanitize audio parameters and prevent int32 overflow while calculating the
size of the codec ouput buffer.

Fixes a crash with a fuzzed file reported by Gustavo Grieco:
SIGFPE.PC.5555556a0dbe.STACK.dfef6ed0e.CODE.1.ADDR.0x5555556a0dbe.INSTR.idivl__0xc(%r12).fuzz
SIGSEGV.PC.7ffff4637ff9.STACK.1970f0787e.CODE.1.ADDR.(nil).INSTR.movdqu_%xmm8,(%rdi).fuzz
SIGSEGV.PC.7ffff463814e.STACK.1970f0787e.CODE.1.ADDR.(nil).INSTR.movdqu_%xmm8,(%rdi,%rcx,1).fuzz

Modified:
   trunk/libmpcodecs/dec_audio.c

Modified: trunk/libmpcodecs/dec_audio.c
==============================================================================
--- trunk/libmpcodecs/dec_audio.c	Mon Jan  4 21:16:53 2016	(r37587)
+++ trunk/libmpcodecs/dec_audio.c	Wed Jan  6 21:46:51 2016	(r37588)
@@ -118,6 +118,14 @@ static int init_audio_codec(sh_audio_t *
 	return 0;
     }
 
+    if (sh_audio->channels < 0 || sh_audio->samplerate < 0 || sh_audio->samplesize < 0 ||
+	(int64_t)sh_audio->channels * sh_audio->samplerate > INT_MAX ||
+	(int64_t)sh_audio->channels * sh_audio->samplerate * sh_audio->samplesize > INT_MAX) {
+	mp_msg(MSGT_DECAUDIO, MSGL_WARN, "dec_audio: Unreasonable audio codec parameters\n");
+	uninit_audio(sh_audio);	// free buffers
+	return 0;
+    }
+
     if (!sh_audio->o_bps)
 	sh_audio->o_bps = sh_audio->channels * sh_audio->samplerate
 	                  * sh_audio->samplesize;


More information about the MPlayer-cvslog mailing list