From 074775462283e59657fbd18e76435371a2b80fda Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Date: Sun, 23 Oct 2016 17:03:04 +0200
Subject: [PATCH] mpeg4audio: validate sample_rate

A negative sample rate doesn't make sense and triggers assertions in
av_rescale_rnd.

Also check for errors from avpriv_mpeg4audio_get_config in
ff_mp4_read_dec_config_descr.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
---
 libavcodec/mpeg4audio.c | 5 +++++
 libavformat/isom.c      | 6 ++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/libavcodec/mpeg4audio.c b/libavcodec/mpeg4audio.c
index 188d843eee..01c374fddc 100644
--- a/libavcodec/mpeg4audio.c
+++ b/libavcodec/mpeg4audio.c
@@ -42,6 +42,11 @@ static int parse_config_ALS(GetBitContext *gb, MPEG4AudioConfig *c)
     // which are buggy in old ALS conformance files
     c->sample_rate = get_bits_long(gb, 32);
 
+    if (c->sample_rate <= 0) {
+        av_log(NULL, AV_LOG_ERROR, "Invalid sample rate %d\n", c->sample_rate);
+        return AVERROR_INVALIDDATA;
+    }
+
     // skip number of samples
     skip_bits_long(gb, 32);
 
diff --git a/libavformat/isom.c b/libavformat/isom.c
index ab79e226e5..1fa46bdab2 100644
--- a/libavformat/isom.c
+++ b/libavformat/isom.c
@@ -513,8 +513,10 @@ FF_ENABLE_DEPRECATION_WARNINGS
             return ret;
         if (st->codecpar->codec_id == AV_CODEC_ID_AAC) {
             MPEG4AudioConfig cfg = {0};
-            avpriv_mpeg4audio_get_config(&cfg, st->codecpar->extradata,
-                                         st->codecpar->extradata_size * 8, 1);
+            ret = avpriv_mpeg4audio_get_config(&cfg, st->codecpar->extradata,
+                                               st->codecpar->extradata_size * 8, 1);
+            if (ret < 0)
+                return ret;
             st->codecpar->channels = cfg.channels;
             if (cfg.object_type == 29 && cfg.sampling_index < 3) // old mp3on4
                 st->codecpar->sample_rate = avpriv_mpa_freq_tab[cfg.sampling_index];