[libav-bugs] [Bug 1165] New: a infinite loop in wv_read_block_header

bugzilla at libav.org bugzilla at libav.org
Fri Jul 19 03:30:54 CEST 2019


https://bugzilla.libav.org/show_bug.cgi?id=1165

            Bug ID: 1165
           Summary: a infinite loop in wv_read_block_header
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: ---
         Component: utilities
          Assignee: bugzilla at libav.org
          Reporter: intreuse at gmail.com

avconv -y -i $pocc /dev/null
in libavformat/wvdec.c:125, if id=0,size=0, will cause infinite loop in the
following while.

125         while (avio_tell(pb) < block_end) {
126             int id, size;
127             id   = avio_r8(pb);
128             size = (id & 0x80) ? avio_rl24(pb) : avio_r8(pb);
129             size <<= 1;
130             if (id & 0x40)
131                 size--;
132             switch (id & 0x3F) {
133             case 0xD:
134                 if (size <= 1) {
135                     av_log(ctx, AV_LOG_ERROR,
136                            "Insufficient channel information\n");
137                     return AVERROR_INVALIDDATA;
138                 }
139                 chan = avio_r8(pb);
140                 switch (size - 2) {
141                 case 0:
142                     chmask = avio_r8(pb);
143                     break; 
144                 case 1:
145                     chmask = avio_rl16(pb);
146                     break; 
147                 case 2:
148                     chmask = avio_rl24(pb);
149                     break; 
150                 case 3:
151                     chmask = avio_rl32(pb);
152                     break; 
153                 case 5:
154                     avio_skip(pb, 1);
155                     chan  |= (avio_r8(pb) & 0xF) << 8;
156                     chmask = avio_rl24(pb); 
157                     break; 
158                 default:
159                     av_log(ctx, AV_LOG_ERROR,
160                            "Invalid channel info size %d\n", size);
161                     return AVERROR_INVALIDDATA;
162                 }
163                 break;
164             case 0x27:
165                 rate = avio_rl24(pb);
166                 break; 
167             default:
168                 avio_skip(pb, size);
169             }
170             if (id & 0x40)
171                 avio_skip(pb, 1);
172         }

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20190719/ad691b24/attachment.html>


More information about the libav-bugs mailing list