|
|
|
|
@ -60,7 +60,7 @@ int ff_mms_asf_header_parser(MMSContext *mms) |
|
|
|
|
|
|
|
|
|
if (mms->asf_header_size < sizeof(ff_asf_guid) * 2 + 22 || |
|
|
|
|
memcmp(p, ff_asf_header, sizeof(ff_asf_guid))) { |
|
|
|
|
av_log(NULL, AV_LOG_ERROR, |
|
|
|
|
av_log(mms->mms_hd, AV_LOG_ERROR, |
|
|
|
|
"Corrupt stream (invalid ASF header, size=%d)\n", |
|
|
|
|
mms->asf_header_size); |
|
|
|
|
return AVERROR_INVALIDDATA; |
|
|
|
|
@ -77,7 +77,7 @@ int ff_mms_asf_header_parser(MMSContext *mms) |
|
|
|
|
chunksize = AV_RL64(p + sizeof(ff_asf_guid)); |
|
|
|
|
} |
|
|
|
|
if (!chunksize || chunksize > end - p) { |
|
|
|
|
av_log(NULL, AV_LOG_ERROR, |
|
|
|
|
av_log(mms->mms_hd, AV_LOG_ERROR, |
|
|
|
|
"Corrupt stream (header chunksize %"PRId64" is invalid)\n", |
|
|
|
|
chunksize); |
|
|
|
|
return AVERROR_INVALIDDATA; |
|
|
|
|
@ -87,7 +87,7 @@ int ff_mms_asf_header_parser(MMSContext *mms) |
|
|
|
|
if (end - p > sizeof(ff_asf_guid) * 2 + 68) { |
|
|
|
|
mms->asf_packet_len = AV_RL32(p + sizeof(ff_asf_guid) * 2 + 64); |
|
|
|
|
if (mms->asf_packet_len <= 0 || mms->asf_packet_len > sizeof(mms->in_buffer)) { |
|
|
|
|
av_log(NULL, AV_LOG_ERROR, |
|
|
|
|
av_log(mms->mms_hd, AV_LOG_ERROR, |
|
|
|
|
"Corrupt stream (too large pkt_len %d)\n", |
|
|
|
|
mms->asf_packet_len); |
|
|
|
|
return AVERROR_INVALIDDATA; |
|
|
|
|
@ -110,7 +110,7 @@ int ff_mms_asf_header_parser(MMSContext *mms) |
|
|
|
|
mms->streams[mms->stream_num].id = stream_id; |
|
|
|
|
mms->stream_num++; |
|
|
|
|
} else { |
|
|
|
|
av_log(NULL, AV_LOG_ERROR, |
|
|
|
|
av_log(mms->mms_hd, AV_LOG_ERROR, |
|
|
|
|
"Corrupt stream (too many A/V streams)\n"); |
|
|
|
|
return AVERROR_INVALIDDATA; |
|
|
|
|
} |
|
|
|
|
@ -121,7 +121,7 @@ int ff_mms_asf_header_parser(MMSContext *mms) |
|
|
|
|
uint64_t skip_bytes = 88; |
|
|
|
|
while (stream_count--) { |
|
|
|
|
if (end - p < skip_bytes + 4) { |
|
|
|
|
av_log(NULL, AV_LOG_ERROR, |
|
|
|
|
av_log(mms->mms_hd, AV_LOG_ERROR, |
|
|
|
|
"Corrupt stream (next stream name length is not in the buffer)\n"); |
|
|
|
|
return AVERROR_INVALIDDATA; |
|
|
|
|
} |
|
|
|
|
@ -129,14 +129,14 @@ int ff_mms_asf_header_parser(MMSContext *mms) |
|
|
|
|
} |
|
|
|
|
while (ext_len_count--) { |
|
|
|
|
if (end - p < skip_bytes + 22) { |
|
|
|
|
av_log(NULL, AV_LOG_ERROR, |
|
|
|
|
av_log(mms->mms_hd, AV_LOG_ERROR, |
|
|
|
|
"Corrupt stream (next extension system info length is not in the buffer)\n"); |
|
|
|
|
return AVERROR_INVALIDDATA; |
|
|
|
|
} |
|
|
|
|
skip_bytes += 22 + AV_RL32(p + skip_bytes + 18); |
|
|
|
|
} |
|
|
|
|
if (end - p < skip_bytes) { |
|
|
|
|
av_log(NULL, AV_LOG_ERROR, |
|
|
|
|
av_log(mms->mms_hd, AV_LOG_ERROR, |
|
|
|
|
"Corrupt stream (the last extension system info length is invalid)\n"); |
|
|
|
|
return AVERROR_INVALIDDATA; |
|
|
|
|
} |
|
|
|
|
@ -146,7 +146,7 @@ int ff_mms_asf_header_parser(MMSContext *mms) |
|
|
|
|
} else if (!memcmp(p, ff_asf_head1_guid, sizeof(ff_asf_guid))) { |
|
|
|
|
chunksize = 46; // see references [2] section 3.4. This should be set 46.
|
|
|
|
|
if (chunksize > end - p) { |
|
|
|
|
av_log(NULL, AV_LOG_ERROR, |
|
|
|
|
av_log(mms->mms_hd, AV_LOG_ERROR, |
|
|
|
|
"Corrupt stream (header chunksize %"PRId64" is invalid)\n", |
|
|
|
|
chunksize); |
|
|
|
|
return AVERROR_INVALIDDATA; |
|
|
|
|
|
Steven Liu
5 years ago