Chiebot-Mirror
/
FFmpeg
mirror of https://github.com/FFmpeg/FFmpeg.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

4xm: do not overread while parsing header

Browse Source 
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
pull/25/head
Luca Barbato 12 years ago
parent e7a44f87d0
commit 42d73f7f6b
1 changed files with 14 additions and 6 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 20
      libavformat/4xm.c

20
libavformat/4xm.c
Unescape View File

@ -90,11 +90,12 @@ static int fourxm_probe(AVProbeData *p)
} }
static int parse_vtrk(AVFormatContext *s, static int parse_vtrk(AVFormatContext *s,
FourxmDemuxContext *fourxm, uint8_t *buf, int size) FourxmDemuxContext *fourxm, uint8_t *buf, int size,
int left)
{ {
AVStream *st; AVStream *st;
/* check that there is enough data */ /* check that there is enough data */
if (size != vtrk_SIZE) { if (size != vtrk_SIZE || left < size + 8) {
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
@ -120,12 +121,13 @@ static int parse_vtrk(AVFormatContext *s,
static int parse_strk(AVFormatContext *s, static int parse_strk(AVFormatContext *s,
FourxmDemuxContext *fourxm, uint8_t *buf, int size) FourxmDemuxContext *fourxm, uint8_t *buf, int size,
int left)
{ {
AVStream *st; AVStream *st;
int track; int track;
/* check that there is enough data */ /* check that there is enough data */
if (size != strk_SIZE) if (size != strk_SIZE || left < size + 8)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
track = AV_RL32(buf + 8); track = AV_RL32(buf + 8);
@ -217,14 +219,20 @@ static int fourxm_read_header(AVFormatContext *s)
size = AV_RL32(&header[i + 4]); size = AV_RL32(&header[i + 4]);
if (fourcc_tag == std__TAG) { if (fourcc_tag == std__TAG) {
if (header_size - i < 16) {
ret = AVERROR_INVALIDDATA;
goto fail;
}
fourxm->fps = av_int2float(AV_RL32(&header[i + 12])); fourxm->fps = av_int2float(AV_RL32(&header[i + 12]));
} else if (fourcc_tag == vtrk_TAG) { } else if (fourcc_tag == vtrk_TAG) {
if ((ret = parse_vtrk(s, fourxm, header + i, size)) < 0) if ((ret = parse_vtrk(s, fourxm, header + i, size,
header_size - i)) < 0)
goto fail; goto fail;
i += 8 + size; i += 8 + size;
} else if (fourcc_tag == strk_TAG) { } else if (fourcc_tag == strk_TAG) {
if ((ret = parse_strk(s, fourxm, header + i, size)) < 0) if ((ret = parse_strk(s, fourxm, header + i, size,
header_size - i)) < 0)
goto fail; goto fail;
i += 8 + size; i += 8 + size;

Write Preview
Loading…
Cancel
Save