avformat/oggparsespeex: Check frames_per_packet and packet_size

The speex specification does not seem to restrict these values, thus the limits where choosen so as to avoid multiplicative overflow Fixes undefined behavior Fixes: 635422.ogg Found-by: Matt Wolenetz <wolenetz@google.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/oggparsespeex: Check frames_per_packet and packet_size
The speex specification does not seem to restrict these values, thus the limits where choosen so as to avoid multiplicative overflow Fixes undefined behavior Fixes: 635422.ogg Found-by: Matt Wolenetz <wolenetz@google.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
afcf15b0 · Michael Niedermayer · 90da187f · afcf15b0
Commit afcf15b0 authored Dec 03, 2016 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

oggparsespeex.c libavformat/oggparsespeex.c +7 -0

No files found.
--- a/libavformat/oggparsespeex.c
+++ b/libavformat/oggparsespeex.c
@@ -82,6 +82,13 @@ static int speex_header(AVFormatContext *s, int idx) {

        spxp->packet_size  = AV_RL32(p + 56);
        frames_per_packet  = AV_RL32(p + 64);
+        if (spxp->packet_size < 0 ||
+            frames_per_packet < 0 ||
+            spxp->packet_size * (int64_t)frames_per_packet > INT32_MAX / 256) {
+            av_log(s, AV_LOG_ERROR, "invalid packet_size, frames_per_packet %d %d\n", spxp->packet_size, frames_per_packet);
+            spxp->packet_size = 0;
+            return AVERROR_INVALIDDATA;
+        }
        if (frames_per_packet)
            spxp->packet_size *= frames_per_packet;