highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

libavformat/flacenc: reject too big picture blocks

Browse Source 
A too big picture will case the muxer to write a truncated block size (uint24)
causing the output file to be corrupt.

How to reproduce:

Write a file with truncated block size:
ffmpeg -y -f lavfi -i sine -f lavfi -i color=red:size=2400x2400 -map 0🅰️0 -map 1✌️0 -c✌️0 bmp -disposition:1 attached_pic -t 1 test.flac

Try to decode:
ffmpeg -i test.flac test.wav

Signed-off-by: Mattias Wadman <mattias.wadman@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Mattias Wadman 2019-10-30 14:01:28 +01:00 committed by Michael Niedermayer
parent bb718d11ed
commit e447a4d112
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libavformat/flacenc.c
View File

@ -93,7 +93,7 @@ static int flac_write_picture(struct AVFormatContext *s, AVPacket *pkt)
AVDictionaryEntry *e; AVDictionaryEntry *e;
const char *mimetype = NULL, *desc = ""; const char *mimetype = NULL, *desc = "";
const AVStream *st = s->streams[pkt->stream_index]; const AVStream *st = s->streams[pkt->stream_index];
int i, mimelen, desclen, type = 0; int i, mimelen, desclen, type = 0, blocklen;
if (!pkt->data) if (!pkt->data)
return 0; return 0;
@ -140,8 +140,14 @@ static int flac_write_picture(struct AVFormatContext *s, AVPacket *pkt)
desc = e->value; desc = e->value;
desclen = strlen(desc); desclen = strlen(desc);
blocklen = 4 + 4 + mimelen + 4 + desclen + 4 + 4 + 4 + 4 + 4 + pkt->size;
if (blocklen >= 1<<24) {
av_log(s, AV_LOG_ERROR, "Picture block too big %d >= %d\n", blocklen, 1<<24);
return AVERROR(EINVAL);
}
avio_w8(pb, 0x06); avio_w8(pb, 0x06);
avio_wb24(pb, 4 + 4 + mimelen + 4 + desclen + 4 + 4 + 4 + 4 + 4 + pkt->size); avio_wb24(pb, blocklen);
avio_wb32(pb, type); avio_wb32(pb, type);