diff --git a/libavcodec/av3a.h b/libavcodec/av3a.h index 14dc349894..ff2d819943 100644 --- a/libavcodec/av3a.h +++ b/libavcodec/av3a.h @@ -35,6 +35,7 @@ #define AV3A_FS_TABLE_SIZE 9 #define AV3A_RESOLUTION_TABLE_SIZE 3 #define AV3A_DCA3_BOX_MIN_SIZE 5 +#define AV3A_DCA3_BOX_MAX_SIZE 7 /* Channel Layout */ #define AV3A_CH_LAYOUT_MONO (AV_CH_LAYOUT_MONO) @@ -201,9 +202,9 @@ typedef struct { } Av3aSampleFormatMap; static const Av3aSampleFormatMap ff_av3a_sample_format_map_table[AV3A_RESOLUTION_TABLE_SIZE] = { - {8, AV_SAMPLE_FMT_U8 }, /* 0: 8 bits */ - {16, AV_SAMPLE_FMT_S16}, /* 1: 16 bits */ - {24, AV_SAMPLE_FMT_S32}, /* 2: 24 bits */ + {8, AV_SAMPLE_FMT_U8 }, /* 0: 8 bits */ + {16, AV_SAMPLE_FMT_S16}, /* 1: 16 bits */ + {24, AV_SAMPLE_FMT_S32}, /* 2: 24 bits */ }; typedef struct { diff --git a/libavcodec/av3a_parser.c b/libavcodec/av3a_parser.c index a563b55437..d7b9fb2972 100644 --- a/libavcodec/av3a_parser.c +++ b/libavcodec/av3a_parser.c @@ -42,7 +42,7 @@ typedef struct { int16_t total_channels; } Av3aParseContext; -static int ff_read_av3a_header_parse(GetBitContext *gb, AATFHeaderInfo *hdf) +static int ff_av3a_header_parse(GetBitContext *gb, AATFHeaderInfo *hdf) { int64_t soundbed_bitrate = 0L; int64_t object_bitrate = 0L; @@ -181,19 +181,22 @@ static int ff_read_av3a_header_parse(GetBitContext *gb, AATFHeaderInfo *hdf) static int raw_av3a_parse(AVCodecParserContext *s, AVCodecContext *avctx, const uint8_t **poutbuf, int32_t *poutbuf_size, const uint8_t *buf, int32_t buf_size) { - int ret = 0; uint8_t header[AV3A_MAX_NBYTES_HEADER]; AATFHeaderInfo hdf; GetBitContext gb; - if (buf_size < AV3A_MAX_NBYTES_HEADER) { + if ((!buf) || (buf_size < AV3A_MAX_NBYTES_HEADER)) { + *poutbuf = NULL; + *poutbuf_size = 0; return buf_size; } memcpy(header, buf, AV3A_MAX_NBYTES_HEADER); init_get_bits8(&gb, buf, AV3A_MAX_NBYTES_HEADER); - if ((ret = ff_read_av3a_header_parse(&gb, &hdf)) != 0) { - return ret; + if (ff_av3a_header_parse(&gb, &hdf) < 0) { + *poutbuf = NULL; + *poutbuf_size = 0; + return buf_size; } avctx->codec_id = AV_CODEC_ID_AVS3DA; diff --git a/libavformat/av3adec.c b/libavformat/av3adec.c index 51f7ec9f8a..4c908af9cb 100644 --- a/libavformat/av3adec.c +++ b/libavformat/av3adec.c @@ -195,7 +195,7 @@ static int av3a_get_packet_size(AVFormatContext *s) uint16_t sync_word = 0; int payload_bytes = 0; int payloud_bits = 0; - uint8_t header[AV3A_MAX_NBYTES_HEADER]; + uint8_t header[AV3A_MAX_NBYTES_HEADER + AV_INPUT_BUFFER_PADDING_SIZE]; GetBitContext gb; int32_t sampling_rate; int16_t coding_profile, sampling_frequency_index, channel_number_index; diff --git a/libavformat/mov.c b/libavformat/mov.c index 9a9144679b..5749111cba 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7930,26 +7930,30 @@ static int mov_read_dca3(MOVContext *c, AVIOContext *pb, MOVAtom atom) int i = 0; int nb_channels = 0; int nb_objects = 0; + int buff_size = 0; AVStream *st = NULL; GetBitContext gb; - uint8_t buffer[7]; + uint8_t buffer[AV3A_DCA3_BOX_MAX_SIZE + AV_INPUT_BUFFER_PADDING_SIZE]; int audio_codec_id, sampling_frequency_index; int nn_type, content_type, channel_number_index, number_objects; int hoa_order, resolution_index, reserved; int bitrate_kbps; - if (atom.size < AV3A_DCA3_BOX_MIN_SIZE) { + if ((atom.size < AV3A_DCA3_BOX_MIN_SIZE) || (atom.size > AV3A_DCA3_BOX_MAX_SIZE)) { return AVERROR_INVALIDDATA; } + buff_size = (int)(atom.size); - init_get_bits8(&gb, buffer, sizeof(buffer)); + if ((ret = init_get_bits8(&gb, buffer, sizeof(buffer))) < 0) { + return ret; + } if (c->fc->nb_streams < 1) { return 0; } st = c->fc->streams[c->fc->nb_streams - 1]; - if ((ret = avio_read(pb, buffer, sizeof(buffer))) < 0) { + if ((ret = avio_read(pb, buffer, buff_size)) < 0) { return ret; } @@ -8016,7 +8020,10 @@ static int mov_read_dca3(MOVContext *c, AVIOContext *pb, MOVAtom atom) } bitrate_kbps = get_bits(&gb, 16); - st->codecpar->bit_rate = bitrate_kbps * 1000; + if (bitrate_kbps <= 0) { + return AVERROR_INVALIDDATA; + } + st->codecpar->bit_rate = (int64_t)(bitrate_kbps * 1000); resolution_index = get_bits(&gb, 2); if ((resolution_index >= AV3A_RESOLUTION_TABLE_SIZE) || (resolution_index < 0)) {