Attachment #86873 for bug #133520

Lines 555-560 Link Here

(-)rm.c (+23 lines)
555	st->codec->extradata_size= 0;	555	st->codec->extradata_size= 0;
556	rm->audio_framesize = st->codec->block_align;	556	rm->audio_framesize = st->codec->block_align;
557	st->codec->block_align = coded_framesize;	557	st->codec->block_align = coded_framesize;
		558
		559	if(rm->audio_framesize >= UINT_MAX / sub_packet_h){
		560	av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h too large\n");
		561	return -1;
		562	}
		563
558	rm->audiobuf = av_malloc(rm->audio_framesize * sub_packet_h);	564	rm->audiobuf = av_malloc(rm->audio_framesize * sub_packet_h);
559	} else if (!strcmp(buf, "cook")) {	565	} else if (!strcmp(buf, "cook")) {
560	int codecdata_length, i;	566	int codecdata_length, i;
Lines 562-567 Link Here
562	if (((version >> 16) & 0xff) == 5)	568	if (((version >> 16) & 0xff) == 5)
563	get_byte(pb);	569	get_byte(pb);
564	codecdata_length = get_be32(pb);	570	codecdata_length = get_be32(pb);
		571	if(codecdata_length + FF_INPUT_BUFFER_PADDING_SIZE <= (unsigned)codecdata_length){
		572	av_log(s, AV_LOG_ERROR, "codecdata_length too large\n");
		573	return -1;
		574	}
		575
565	st->codec->codec_id = CODEC_ID_COOK;	576	st->codec->codec_id = CODEC_ID_COOK;
566	st->codec->extradata_size= codecdata_length;	577	st->codec->extradata_size= codecdata_length;
567	st->codec->extradata= av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);	578	st->codec->extradata= av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
Lines 569-574 Link Here
569	((uint8_t*)st->codec->extradata)[i] = get_byte(pb);	580	((uint8_t*)st->codec->extradata)[i] = get_byte(pb);
570	rm->audio_framesize = st->codec->block_align;	581	rm->audio_framesize = st->codec->block_align;
571	st->codec->block_align = rm->sub_packet_size;	582	st->codec->block_align = rm->sub_packet_size;
		583
		584	if(rm->audio_framesize >= UINT_MAX / sub_packet_h){
		585	av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h too large\n");
		586	return -1;
		587	}
		588
572	rm->audiobuf = av_malloc(rm->audio_framesize * sub_packet_h);	589	rm->audiobuf = av_malloc(rm->audio_framesize * sub_packet_h);
573	} else {	590	} else {
574	st->codec->codec_id = CODEC_ID_NONE;	591	st->codec->codec_id = CODEC_ID_NONE;
Lines 715-720 Link Here
715	get_be16(pb);	732	get_be16(pb);
716		733
717	st->codec->extradata_size= codec_data_size - (url_ftell(pb) - codec_pos);	734	st->codec->extradata_size= codec_data_size - (url_ftell(pb) - codec_pos);
		735
		736	if(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE <= (unsigned)st->codec->extradata_size){
		737	//check is redundant as get_buffer() will catch this
		738	av_log(s, AV_LOG_ERROR, "st->codec->extradata_size too large\n");
		739	return -1;
		740	}
718	st->codec->extradata= av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);	741	st->codec->extradata= av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
719	get_buffer(pb, st->codec->extradata, st->codec->extradata_size);	742	get_buffer(pb, st->codec->extradata, st->codec->extradata_size);
720		743

Lines 196-201 Link Here

(-)sierravmd.c (+4 lines)
196	vmd->frame_table = NULL;	196	vmd->frame_table = NULL;
197	raw_frame_table_size = vmd->frame_count * 6;	197	raw_frame_table_size = vmd->frame_count * 6;
198	raw_frame_table = av_malloc(raw_frame_table_size);	198	raw_frame_table = av_malloc(raw_frame_table_size);
		199	if(vmd->frame_count * vmd->frames_per_block >= UINT_MAX / sizeof(vmd_frame_t)){
		200	av_log(s, AV_LOG_ERROR, "vmd->frame_count * vmd->frames_per_block too large\n");
		201	return -1;
		202	}
199	vmd->frame_table = av_malloc(vmd->frame_count * vmd->frames_per_block * sizeof(vmd_frame_t));	203	vmd->frame_table = av_malloc(vmd->frame_count * vmd->frames_per_block * sizeof(vmd_frame_t));
200	if (!raw_frame_table \|\| !vmd->frame_table) {	204	if (!raw_frame_table \|\| !vmd->frame_table) {
201	av_free(raw_frame_table);	205	av_free(raw_frame_table);

Lines 114-119 Link Here

(-)smacker.c (+7 lines)
114	for(i = 0; i < 7; i++)	114	for(i = 0; i < 7; i++)
115	smk->audio[i] = get_le32(pb);	115	smk->audio[i] = get_le32(pb);
116	smk->treesize = get_le32(pb);	116	smk->treesize = get_le32(pb);
		117
		118	if(smk->treesize >= UINT_MAX/4){ // smk->treesize + 16 must not overflow (this check is probably redundant)
		119	av_log(s, AV_LOG_ERROR, "treesize too large\n");
		120	return -1;
		121	}
		122
		123	//FIXME remove extradata "rebuilding"
117	smk->mmap_size = get_le32(pb);	124	smk->mmap_size = get_le32(pb);
118	smk->mclr_size = get_le32(pb);	125	smk->mclr_size = get_le32(pb);
119	smk->full_size = get_le32(pb);	126	smk->full_size = get_le32(pb);

Lines 50-62 Link Here

(-)tta.c (+19 lines)
50	channels = get_le16(&s->pb);	50	channels = get_le16(&s->pb);
51	bps = get_le16(&s->pb);	51	bps = get_le16(&s->pb);
52	samplerate = get_le32(&s->pb);	52	samplerate = get_le32(&s->pb);
		53	if(samplerate <= 0 \|\| samplerate > 1000000){
		54	av_log(s, AV_LOG_ERROR, "nonsense samplerate\n");
		55	return -1;
		56	}
		57
53	datalen = get_le32(&s->pb);	58	datalen = get_le32(&s->pb);
		59	if(datalen < 0){
		60	av_log(s, AV_LOG_ERROR, "nonsense datalen\n");
		61	return -1;
		62	}
		63
54	url_fskip(&s->pb, 4); // header crc	64	url_fskip(&s->pb, 4); // header crc
55		65
56	framelen = 1.04489795918367346939 * samplerate;	66	framelen = 1.04489795918367346939 * samplerate;
57	c->totalframes = datalen / framelen + ((datalen % framelen) ? 1 : 0);	67	c->totalframes = datalen / framelen + ((datalen % framelen) ? 1 : 0);
58	c->currentframe = 0;	68	c->currentframe = 0;
59		69
		70	if(c->totalframes >= UINT_MAX/sizeof(uint32_t)){
		71	av_log(s, AV_LOG_ERROR, "totalframes too large\n");
		72	return -1;
		73	}
60	c->seektable = av_mallocz(sizeof(uint32_t)*c->totalframes);	74	c->seektable = av_mallocz(sizeof(uint32_t)*c->totalframes);
61	if (!c->seektable)	75	if (!c->seektable)
62	return AVERROR_NOMEM;	76	return AVERROR_NOMEM;
Lines 76-81 Link Here
76	st->codec->bits_per_sample = bps;	90	st->codec->bits_per_sample = bps;
77		91
78	st->codec->extradata_size = url_ftell(&s->pb) - start;	92	st->codec->extradata_size = url_ftell(&s->pb) - start;
		93	if(st->codec->extradata_size+FF_INPUT_BUFFER_PADDING_SIZE <= (unsigned)st->codec->extradata_size){
		94	//this check is redundant as get_buffer should fail
		95	av_log(s, AV_LOG_ERROR, "extradata_size too large\n");
		96	return -1;
		97	}
79	st->codec->extradata = av_mallocz(st->codec->extradata_size+FF_INPUT_BUFFER_PADDING_SIZE);	98	st->codec->extradata = av_mallocz(st->codec->extradata_size+FF_INPUT_BUFFER_PADDING_SIZE);
80	url_fseek(&s->pb, start, SEEK_SET); // or SEEK_CUR and -size ? :)	99	url_fseek(&s->pb, start, SEEK_SET); // or SEEK_CUR and -size ? :)
81	get_buffer(&s->pb, st->codec->extradata, st->codec->extradata_size);	100	get_buffer(&s->pb, st->codec->extradata, st->codec->extradata_size);

Return to bug 133520