[FFmpeg-devel] [PATCH] aiffdec: fix division by zero

[Michael Niedermayer]

On Mon, Oct 17, 2016 at 04:17:35PM +0200, Andreas Cadhalpun wrote:
> On 17.10.2016 05:43, Michael Niedermayer wrote:
> > On Sun, Oct 16, 2016 at 10:38:42PM +0200, Andreas Cadhalpun wrote:
> >> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> >> ---
> >>  libavformat/aiffdec.c | 2 +-
> >>  1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c
> >> index cd916f9..de82787 100644
> >> --- a/libavformat/aiffdec.c
> >> +++ b/libavformat/aiffdec.c
> >> @@ -380,7 +380,7 @@ static int aiff_read_packet(AVFormatContext *s,
> >>          size = st->codecpar->block_align;
> >>          break;
> >>      default:
> >> -        size = (MAX_SIZE / st->codecpar->block_align) * st->codecpar->block_align;
> >> +        size = st->codecpar->block_align ? (MAX_SIZE / st->codecpar->block_align) * st->codecpar->block_align : MAX_SIZE;
> > 
> > how do you reach block_align == 0 ?
> > aiff_read_header() checks for block_align == 0
> 
> I'm not aware of a way to reproduce this with the ffmpeg binary, however
> an API user (e.g. my fuzz-testing-program) can change codecpar->codec_type
> and codecpar->codec_id to force decoding a stream with a particular codec.
> 
> However, avcodec_parameters_from_context sets codecpar->block_align to 0
> for AVMEDIA_TYPE_VIDEO thus causing the subsequent crash.

hmm, patch is probably ok then

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Concerning the gods, I have no means of knowing whether they exist or not
or of what sort they may be, because of the obscurity of the subject, and
the brevity of human life -- Protagoras
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20161017/527d5551/attachment.sig>