sanity checks, some might have been exploitable ...

Originally committed as revision 5369 to svn://svn.ffmpeg.org/ffmpeg/trunk
author: Michael Niedermayer <michaelni@gmx.at> 2006-05-13 10:45:26 +0000
committer: Michael Niedermayer <michaelni@gmx.at> 2006-05-13 10:45:26 +0000
commit: 3a1a7e32ace7af47de74e8ae779cb4e04c89aa97 (patch)
tree: 54f9925f5f74bf9ca24ede510f6deffd98f2e2c6 /libavcodec/tta.c
parent: ce1d2a95c3d73663aecc6e5f51533d2bcf1fb1ae (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/libavcodec/tta.c b/libavcodec/tta.c
index 3b1dd84450..5ea592910c 100644
--- a/libavcodec/tta.c
+++ b/libavcodec/tta.c
@@ -238,6 +238,10 @@ static int tta_decode_init(AVCodecContext * avctx)
         avctx->bits_per_sample = get_le16(&s->gb);
         s->bps = (avctx->bits_per_sample + 7) / 8;
         avctx->sample_rate = get_le32(&s->gb);
+        if(avctx->sample_rate > 1000000){ //prevent FRAME_TIME * avctx->sample_rate from overflowing and sanity check
+            av_log(avctx, AV_LOG_ERROR, "sample_rate too large\n");
+            return -1;
+        }
         s->data_length = get_le32(&s->gb);
         skip_bits(&s->gb, 32); // CRC32 of header
 
@@ -276,6 +280,11 @@ static int tta_decode_init(AVCodecContext * avctx)
             skip_bits(&s->gb, 32);
         skip_bits(&s->gb, 32); // CRC32 of seektable
 
+        if(s->frame_length >= UINT_MAX / (s->channels * sizeof(int32_t))){
+            av_log(avctx, AV_LOG_ERROR, "frame_length too large\n");
+            return -1;
+        }
+
         s->decode_buffer = av_mallocz(sizeof(int32_t)*s->frame_length*s->channels);
     } else {
         av_log(avctx, AV_LOG_ERROR, "Wrong extradata present\n");
author	Michael Niedermayer <michaelni@gmx.at>	2006-05-13 10:45:26 +0000
committer	Michael Niedermayer <michaelni@gmx.at>	2006-05-13 10:45:26 +0000
commit	3a1a7e32ace7af47de74e8ae779cb4e04c89aa97 (patch)
tree	54f9925f5f74bf9ca24ede510f6deffd98f2e2c6 /libavcodec/tta.c
parent	ce1d2a95c3d73663aecc6e5f51533d2bcf1fb1ae (diff)