From 8e357e8e759b36e5609ccd12a9e324aee0e8afc8 Mon Sep 17 00:00:00 2001 From: Reimar Döffinger Date: Tue, 10 Apr 2012 21:11:50 +0200 Subject: latmenc: error out when packet size is too large. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously it would just silently write out incorrect data. This also fixes a potential integer overflow in the allocation. Signed-off-by: Reimar Döffinger --- libavformat/latmenc.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'libavformat') diff --git a/libavformat/latmenc.c b/libavformat/latmenc.c index 3eadfe0092..3ee277d701 100644 --- a/libavformat/latmenc.c +++ b/libavformat/latmenc.c @@ -138,7 +138,7 @@ static int latm_write_packet(AVFormatContext *s, AVPacket *pkt) PutBitContext bs; int i, len; uint8_t loas_header[] = "\x56\xe0\x00"; - uint8_t *buf; + uint8_t *buf = NULL; if (s->streams[0]->codec->codec_id == CODEC_ID_AAC_LATM) return ff_raw_write_packet(s, pkt); @@ -147,6 +147,8 @@ static int latm_write_packet(AVFormatContext *s, AVPacket *pkt) av_log(s, AV_LOG_ERROR, "ADTS header detected - ADTS will not be incorrectly muxed into LATM\n"); return AVERROR_INVALIDDATA; } + if (pkt->size > 0x1fff) + goto too_large; buf = av_malloc(pkt->size+1024); if (!buf) @@ -173,6 +175,9 @@ static int latm_write_packet(AVFormatContext *s, AVPacket *pkt) len = put_bits_count(&bs) >> 3; + if (len > 0x1fff) + goto too_large; + loas_header[1] |= (len >> 8) & 0x1f; loas_header[2] |= len & 0xff; @@ -182,6 +187,11 @@ static int latm_write_packet(AVFormatContext *s, AVPacket *pkt) av_free(buf); return 0; + +too_large: + av_log(s, AV_LOG_ERROR, "LATM packet size larger than maximum size 0x1fff\n"); + av_free(buf); + return AVERROR_INVALIDDATA; } AVOutputFormat ff_latm_muxer = { -- cgit v1.2.3