From 44ff5a1bff424b1576dff366ccd246805b4e5567 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 16 Oct 2020 19:09:37 +0200
Subject: avformat/boadec: Check that channels and block_align are set

Fixes: Infinite loop
Fixes: 26381/clusterfuzz-testcase-minimized-ffmpeg_dem_BOA_fuzzer-5745789089087488

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/boadec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/boadec.c b/libavformat/boadec.c
index 495090c485..74a6ceecb1 100644
--- a/libavformat/boadec.c
+++ b/libavformat/boadec.c
@@ -54,12 +54,12 @@ static int read_header(AVFormatContext *s)
     avio_rl32(s->pb);
     st->codecpar->sample_rate = avio_rl32(s->pb);
     st->codecpar->channels    = avio_rl32(s->pb);
-    if (st->codecpar->channels > FF_SANE_NB_CHANNELS)
+    if (st->codecpar->channels > FF_SANE_NB_CHANNELS || st->codecpar->channels <= 0)
         return AVERROR(ENOSYS);
     s->internal->data_offset = avio_rl32(s->pb);
     avio_r8(s->pb);
     st->codecpar->block_align = avio_rl32(s->pb);
-    if (st->codecpar->block_align > INT_MAX / FF_SANE_NB_CHANNELS)
+    if (st->codecpar->block_align > INT_MAX / FF_SANE_NB_CHANNELS || st->codecpar->block_align <= 0)
         return AVERROR_INVALIDDATA;
     st->codecpar->block_align *= st->codecpar->channels;
 
-- 
cgit v1.2.3