From b0c96e06134d5c2aa3fa4f0951834c982ee99e3b Mon Sep 17 00:00:00 2001
From: Justin Ruggles <justin.ruggles@gmail.com>
Date: Wed, 1 Aug 2012 15:53:20 -0400
Subject: idcin: validate header parameters

Avoids using unsupported parameters and signed integer overflows.
---
 libavformat/idcin.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'libavformat')

diff --git a/libavformat/idcin.c b/libavformat/idcin.c
index fde8666788..6b107b9904 100644
--- a/libavformat/idcin.c
+++ b/libavformat/idcin.c
@@ -68,6 +68,7 @@
  *       transmitting them to the video decoder
  */
 
+#include "libavutil/imgutils.h"
 #include "libavutil/intreadwrite.h"
 #include "avformat.h"
 #include "internal.h"
@@ -153,6 +154,24 @@ static int idcin_read_header(AVFormatContext *s)
     bytes_per_sample = avio_rl32(pb);
     channels = avio_rl32(pb);
 
+    if (av_image_check_size(width, height, 0, s) < 0)
+        return AVERROR_INVALIDDATA;
+    if (sample_rate > 0) {
+        if (sample_rate < 14 || sample_rate > INT_MAX) {
+            av_log(s, AV_LOG_ERROR, "invalid sample rate: %u\n", sample_rate);
+            return AVERROR_INVALIDDATA;
+        }
+        if (bytes_per_sample < 1 || bytes_per_sample > 2) {
+            av_log(s, AV_LOG_ERROR, "invalid bytes per sample: %u\n",
+                   bytes_per_sample);
+            return AVERROR_INVALIDDATA;
+        }
+        if (channels < 1 || channels > 2) {
+            av_log(s, AV_LOG_ERROR, "invalid channels: %u\n", channels);
+            return AVERROR_INVALIDDATA;
+        }
+    }
+
     st = avformat_new_stream(s, NULL);
     if (!st)
         return AVERROR(ENOMEM);
-- 
cgit v1.2.3