Skip to content

Commit

Permalink
avformat/aaxdec: Fix potential integer overflow
Browse files Browse the repository at this point in the history
The AAX demuxer reads a 32bit number containing the amount of entries
of an array and stores it in an uint32_t. Yet when iterating over this
array, a loop counter of type int is used. This leads to undefined
behaviour if the amount of entries is not in the range of int; to avoid
this, it is generally good to use the same type for the loop counter as
for the variable it is compared to. This is done in one of the two loops
affected by this.

In the other loop, the undefined behaviour can begin even earlier: Here
the loop counter is multiplied by an uint16_t which can overflow as soon
as the loop counter is > 2^15. Using an unsigned type would avoid the
undefined behaviour, but truncation would still be possible, so use an
uint64_t.

Also use an uint32_t for a variable containing an index in said array.

This fixes Coverity issue #1466767.

Reviewed-by: Paul B Mahol <[email protected]>
Signed-off-by: Andreas Rheinhardt <[email protected]>
  • Loading branch information
mkver committed Sep 20, 2020
1 parent 913aa42 commit 5b33f52
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions libavformat/aaxdec.c
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ typedef struct AAXContext {
int64_t strings_size;
char *string_table;

int current_segment;
uint32_t current_segment;

AAXColumn *xcolumns;
AAXSegment *segments;
Expand Down Expand Up @@ -239,7 +239,7 @@ static int aax_read_header(AVFormatContext *s)
flag = a->xcolumns[c].flag;
col_offset = a->xcolumns[c].offset;

for (int r = 0; r < a->nb_segments; r++) {
for (uint64_t r = 0; r < a->nb_segments; r++) {
if (flag & COLUMN_FLAG_DEFAULT) {
data_offset = a->schema_offset + col_offset;
} else if (flag & COLUMN_FLAG_ROW) {
Expand Down Expand Up @@ -330,7 +330,7 @@ static int aax_read_packet(AVFormatContext *s, AVPacket *pkt)

pkt->pos = avio_tell(pb);

for (int seg = 0; seg < a->nb_segments; seg++) {
for (uint32_t seg = 0; seg < a->nb_segments; seg++) {
int64_t start = a->segments[seg].start;
int64_t end = a->segments[seg].end;

Expand Down

0 comments on commit 5b33f52

Please sign in to comment.