diff options
Diffstat (limited to 'libavformat/oggparsespeex.c')
-rw-r--r-- | libavformat/oggparsespeex.c | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/libavformat/oggparsespeex.c b/libavformat/oggparsespeex.c index 2430cd7..27fc992 100644 --- a/libavformat/oggparsespeex.c +++ b/libavformat/oggparsespeex.c @@ -62,7 +62,16 @@ static int speex_header(AVFormatContext *s, int idx) { st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->codec_id = AV_CODEC_ID_SPEEX; + if (os->psize < 68) { + av_log(s, AV_LOG_ERROR, "speex packet too small\n"); + return AVERROR_INVALIDDATA; + } + st->codecpar->sample_rate = AV_RL32(p + 36); + if (st->codecpar->sample_rate <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid sample rate %d\n", st->codecpar->sample_rate); + return AVERROR_INVALIDDATA; + } st->codecpar->channels = AV_RL32(p + 48); if (st->codecpar->channels < 1 || st->codecpar->channels > 2) { av_log(s, AV_LOG_ERROR, "invalid channel count. Speex must be mono or stereo.\n"); @@ -73,12 +82,18 @@ static int speex_header(AVFormatContext *s, int idx) { spxp->packet_size = AV_RL32(p + 56); frames_per_packet = AV_RL32(p + 64); + if (spxp->packet_size < 0 || + frames_per_packet < 0 || + spxp->packet_size * (int64_t)frames_per_packet > INT32_MAX / 256) { + av_log(s, AV_LOG_ERROR, "invalid packet_size, frames_per_packet %d %d\n", spxp->packet_size, frames_per_packet); + spxp->packet_size = 0; + return AVERROR_INVALIDDATA; + } if (frames_per_packet) spxp->packet_size *= frames_per_packet; - st->codecpar->extradata_size = os->psize; - st->codecpar->extradata = av_malloc(st->codecpar->extradata_size - + AV_INPUT_BUFFER_PADDING_SIZE); + if (ff_alloc_extradata(st->codecpar, os->psize) < 0) + return AVERROR(ENOMEM); memcpy(st->codecpar->extradata, p, st->codecpar->extradata_size); avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); |