blob: bd8a08a2163d0c434748889793f9393952074e75 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sun, 27 Feb 2022 14:43:04 +0100
Subject: [PATCH] avcodec/g729_parser: Check channels
Fixes: signed integer overflow: 10 * 808464428 cannot be represented in type 'int'
Fixes: assertion failure
Fixes: ticket9651
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 757da974b21833529cc41bdcc9684c29660cdfa8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
CVE: CVE-2022-1475
Upstream-Status: Backport [https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=e9e2ddbc6c78cc18b76093617f82c920e58a8d1f]
Comment: Patch is refreshed as per ffmpeg codebase
Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
---
libavcodec/g729_parser.c | 3 +++
1 file changed, 3 insertions(+)
Index: ffmpeg-4.2.2/libavcodec/g729_parser.c
===================================================================
--- a/libavcodec/g729_parser.c
+++ b/libavcodec/g729_parser.c
@@ -48,6 +48,9 @@ static int g729_parse(AVCodecParserConte
av_assert1(avctx->codec_id == AV_CODEC_ID_G729);
/* FIXME: replace this heuristic block_size with more precise estimate */
s->block_size = (avctx->bit_rate < 8000) ? G729D_6K4_BLOCK_SIZE : G729_8K_BLOCK_SIZE;
+ // channels > 2 is invalid, we pass the packet on unchanged
+ if (avctx->channels > 2)
+ s->block_size = 0;
s->block_size *= avctx->channels;
s->duration = avctx->frame_size;
}
|
