[FFmpeg-devel] [PATCH] latmenc: error out when packet size is too large.

[Reimar Döffinger]

Previously it would just silently write out incorrect data.
This also fixes a potential integer overflow in the allocation.

Signed-off-by: Reimar Döffinger <Reimar.Doeffinger at gmx.de>
---
 libavformat/latmenc.c |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/libavformat/latmenc.c b/libavformat/latmenc.c
index 8dd265d..8933a62 100644
--- a/libavformat/latmenc.c
+++ b/libavformat/latmenc.c
@@ -142,7 +142,7 @@ static int latm_write_packet(AVFormatContext *s, AVPacket *pkt)
     PutBitContext bs;
     int i, len;
     uint8_t loas_header[] = "\x56\xe0\x00";
-    uint8_t *buf;
+    uint8_t *buf = NULL;
 
     if (s->streams[0]->codec->codec_id == CODEC_ID_AAC_LATM)
         return ff_raw_write_packet(s, pkt);
@@ -151,6 +151,8 @@ static int latm_write_packet(AVFormatContext *s, AVPacket *pkt)
         av_log(s, AV_LOG_ERROR, "ADTS header detected - ADTS will not be incorrectly muxed into LATM\n");
         return AVERROR_INVALIDDATA;
     }
+    if (pkt->size > 0x1fff)
+        goto too_large;
 
     buf = av_malloc(pkt->size+1024);
     if (!buf)
@@ -190,6 +192,9 @@ static int latm_write_packet(AVFormatContext *s, AVPacket *pkt)
 
     len = put_bits_count(&bs) >> 3;
 
+    if (len > 0x1fff)
+        goto too_large;
+
     loas_header[1] |= (len >> 8) & 0x1f;
     loas_header[2] |= len & 0xff;
 
@@ -199,6 +204,11 @@ static int latm_write_packet(AVFormatContext *s, AVPacket *pkt)
     av_free(buf);
 
     return 0;
+
+too_large:
+    av_log(s, AV_LOG_ERROR, "LATM packet size larger than maximum size 0x1fff\n");
+    av_free(buf);
+    return AVERROR_INVALIDDATA;
 }
 
 AVOutputFormat ff_latm_muxer = {
-- 
1.7.9.5