From 28ff439efd2362fb21e1a78610737f2e26a72d8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:26:18 +0300 Subject: [PATCH] mvi: Add sanity checking for the audio frame size MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids a division by zero. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö --- libavformat/mvi.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mvi.c b/libavformat/mvi.c index 7fb163bea3..69b0aed571 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -94,6 +94,12 @@ static int read_header(AVFormatContext *s) mvi->get_int = (vst->codec->width * vst->codec->height < (1 << 16)) ? avio_rl16 : avio_rl24; mvi->audio_frame_size = ((uint64_t)mvi->audio_data_size << MVI_FRAC_BITS) / frames_count; + if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) { + av_log(s, AV_LOG_ERROR, "Invalid audio_data_size (%d) or frames_count (%d)\n", + mvi->audio_data_size, frames_count); + return AVERROR_INVALIDDATA; + } + mvi->audio_size_counter = (ast->codec->sample_rate * 830 / mvi->audio_frame_size - 1) * mvi->audio_frame_size; mvi->audio_size_left = mvi->audio_data_size;