Lines 555-560
Link Here
|
555 |
st->codec->extradata_size= 0; |
555 |
st->codec->extradata_size= 0; |
556 |
rm->audio_framesize = st->codec->block_align; |
556 |
rm->audio_framesize = st->codec->block_align; |
557 |
st->codec->block_align = coded_framesize; |
557 |
st->codec->block_align = coded_framesize; |
|
|
558 |
|
559 |
if(rm->audio_framesize >= UINT_MAX / sub_packet_h){ |
560 |
av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h too large\n"); |
561 |
return -1; |
562 |
} |
563 |
|
558 |
rm->audiobuf = av_malloc(rm->audio_framesize * sub_packet_h); |
564 |
rm->audiobuf = av_malloc(rm->audio_framesize * sub_packet_h); |
559 |
} else if (!strcmp(buf, "cook")) { |
565 |
} else if (!strcmp(buf, "cook")) { |
560 |
int codecdata_length, i; |
566 |
int codecdata_length, i; |
Lines 562-567
Link Here
|
562 |
if (((version >> 16) & 0xff) == 5) |
568 |
if (((version >> 16) & 0xff) == 5) |
563 |
get_byte(pb); |
569 |
get_byte(pb); |
564 |
codecdata_length = get_be32(pb); |
570 |
codecdata_length = get_be32(pb); |
|
|
571 |
if(codecdata_length + FF_INPUT_BUFFER_PADDING_SIZE <= (unsigned)codecdata_length){ |
572 |
av_log(s, AV_LOG_ERROR, "codecdata_length too large\n"); |
573 |
return -1; |
574 |
} |
575 |
|
565 |
st->codec->codec_id = CODEC_ID_COOK; |
576 |
st->codec->codec_id = CODEC_ID_COOK; |
566 |
st->codec->extradata_size= codecdata_length; |
577 |
st->codec->extradata_size= codecdata_length; |
567 |
st->codec->extradata= av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); |
578 |
st->codec->extradata= av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); |
Lines 569-574
Link Here
|
569 |
((uint8_t*)st->codec->extradata)[i] = get_byte(pb); |
580 |
((uint8_t*)st->codec->extradata)[i] = get_byte(pb); |
570 |
rm->audio_framesize = st->codec->block_align; |
581 |
rm->audio_framesize = st->codec->block_align; |
571 |
st->codec->block_align = rm->sub_packet_size; |
582 |
st->codec->block_align = rm->sub_packet_size; |
|
|
583 |
|
584 |
if(rm->audio_framesize >= UINT_MAX / sub_packet_h){ |
585 |
av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h too large\n"); |
586 |
return -1; |
587 |
} |
588 |
|
572 |
rm->audiobuf = av_malloc(rm->audio_framesize * sub_packet_h); |
589 |
rm->audiobuf = av_malloc(rm->audio_framesize * sub_packet_h); |
573 |
} else { |
590 |
} else { |
574 |
st->codec->codec_id = CODEC_ID_NONE; |
591 |
st->codec->codec_id = CODEC_ID_NONE; |
Lines 715-720
Link Here
|
715 |
get_be16(pb); |
732 |
get_be16(pb); |
716 |
|
733 |
|
717 |
st->codec->extradata_size= codec_data_size - (url_ftell(pb) - codec_pos); |
734 |
st->codec->extradata_size= codec_data_size - (url_ftell(pb) - codec_pos); |
|
|
735 |
|
736 |
if(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE <= (unsigned)st->codec->extradata_size){ |
737 |
//check is redundant as get_buffer() will catch this |
738 |
av_log(s, AV_LOG_ERROR, "st->codec->extradata_size too large\n"); |
739 |
return -1; |
740 |
} |
718 |
st->codec->extradata= av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); |
741 |
st->codec->extradata= av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); |
719 |
get_buffer(pb, st->codec->extradata, st->codec->extradata_size); |
742 |
get_buffer(pb, st->codec->extradata, st->codec->extradata_size); |
720 |
|
743 |
|