From d1a58afb95f68c5375b4a7556317d835108509ed Mon Sep 17 00:00:00 2001
From: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Date: Tue, 10 Apr 2012 21:49:46 +0200
Subject: latmenc: validate extradata size.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes potential out-of-bounds writes.
This is mostly possible when muxing ALS files where from
an extradata size of about 1050 put_bits would write data
outside the buffer.

Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
---
 libavformat/latmenc.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'libavformat/latmenc.c')

diff --git a/libavformat/latmenc.c b/libavformat/latmenc.c
index 1722eb59bf..914c63237d 100644
--- a/libavformat/latmenc.c
+++ b/libavformat/latmenc.c
@@ -27,6 +27,8 @@
 #include "avformat.h"
 #include "rawenc.h"
 
+#define MAX_EXTRADATA_SIZE 1024
+
 typedef struct {
     AVClass *av_class;
     int off;
@@ -53,6 +55,10 @@ static int latm_decode_extradata(LATMContext *ctx, uint8_t *buf, int size)
 {
     MPEG4AudioConfig m4ac;
 
+    if (size > MAX_EXTRADATA_SIZE) {
+        av_log(ctx, AV_LOG_ERROR, "Extradata is larger than currently supported.\n");
+        return AVERROR_INVALIDDATA;
+    }
     ctx->off = avpriv_mpeg4audio_get_config(&m4ac, buf, size * 8, 1);
     if (ctx->off < 0)
         return ctx->off;
@@ -152,11 +158,11 @@ static int latm_write_packet(AVFormatContext *s, AVPacket *pkt)
     if (pkt->size > 0x1fff)
         goto too_large;
 
-    buf = av_malloc(pkt->size+1024);
+    buf = av_malloc(pkt->size+1024+MAX_EXTRADATA_SIZE);
     if (!buf)
         return AVERROR(ENOMEM);
 
-    init_put_bits(&bs, buf, pkt->size+1024);
+    init_put_bits(&bs, buf, pkt->size+1024+MAX_EXTRADATA_SIZE);
 
     latm_write_frame_header(s, &bs);
 
-- 
cgit v1.2.3