diff --git a/libavformat/riffdec.c b/libavformat/riffdec.c index f798baf128..3291d6141f 100644 --- a/libavformat/riffdec.c +++ b/libavformat/riffdec.c @@ -87,6 +87,7 @@ int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, AVCodecContext *codec, int size, int big_endian) { int id; + uint64_t bitrate; if (size < 14) { avpriv_request_sample(codec, "wav header size < 14"); @@ -98,23 +99,15 @@ int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, id = avio_rl16(pb); codec->channels = avio_rl16(pb); codec->sample_rate = avio_rl32(pb); - codec->bit_rate = avio_rl32(pb) * 8; + bitrate = avio_rl32(pb) * 8; codec->block_align = avio_rl16(pb); } else { id = avio_rb16(pb); codec->channels = avio_rb16(pb); codec->sample_rate = avio_rb32(pb); - codec->bit_rate = avio_rb32(pb) * 8; + bitrate = avio_rb32(pb) * 8; codec->block_align = avio_rb16(pb); } - if (codec->bit_rate < 0) { - av_log(s, AV_LOG_WARNING, - "Invalid bit rate: %d\n", codec->bit_rate); - if (s->error_recognition & AV_EF_EXPLODE) - return AVERROR_INVALIDDATA; - else - codec->bit_rate = 0; - } if (size == 14) { /* We're dealing with plain vanilla WAVEFORMAT */ codec->bits_per_coded_sample = 8; } else { @@ -155,6 +148,23 @@ int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, if (size > 0) avio_skip(pb, size); } + + if (bitrate > INT_MAX) { + if (s->error_recognition & AV_EF_EXPLODE) { + av_log(s, AV_LOG_ERROR, + "The bitrate %"PRIu64" is too large.\n", + bitrate); + return AVERROR_INVALIDDATA; + } else { + av_log(s, AV_LOG_WARNING, + "The bitrate %"PRIu64" is too large, resetting to 0.", + bitrate); + codec->bit_rate = 0; + } + } else { + codec->bit_rate = bitrate; + } + if (codec->sample_rate <= 0) { av_log(s, AV_LOG_ERROR, "Invalid sample rate: %d\n", codec->sample_rate);