mirror of https://github.com/mpv-player/mpv
demux_mkv: stricter realaudio extradata handling
Verify memory accesses and such. The behavior should be equivalent. (RealAudio causes pain for everyone even in its grave.)
This commit is contained in:
parent
fd557a0178
commit
8b44be54e7
|
@ -1426,12 +1426,14 @@ static int demux_mkv_open_audio(demuxer_t *demuxer, mkv_track_t *track)
|
|||
track->sub_packet_h = AV_RB16(src + 40);
|
||||
sh_a->block_align = track->audiopk_size = AV_RB16(src + 42);
|
||||
track->sub_packet_size = AV_RB16(src + 44);
|
||||
int offset = 0;
|
||||
if (version == 4) {
|
||||
src += RAPROPERTIES4_SIZE;
|
||||
src += src[0] + 1;
|
||||
src += src[0] + 1;
|
||||
offset += RAPROPERTIES4_SIZE;
|
||||
if (offset + 1 > track->private_size)
|
||||
goto error;
|
||||
offset += (src[offset] + 1) * 2 + 3;
|
||||
} else {
|
||||
src += RAPROPERTIES5_SIZE;
|
||||
offset += RAPROPERTIES5_SIZE + 3 + (version == 5 ? 1 : 0);
|
||||
}
|
||||
|
||||
if (track->audiopk_size == 0 || track->sub_packet_size == 0 ||
|
||||
|
@ -1440,15 +1442,15 @@ static int demux_mkv_open_audio(demuxer_t *demuxer, mkv_track_t *track)
|
|||
if (track->coded_framesize > 0x40000000)
|
||||
goto error;
|
||||
|
||||
src += 3;
|
||||
if (version == 5)
|
||||
src++;
|
||||
uint32_t codecdata_length = AV_RB32(src);
|
||||
if (codecdata_length > 0x1000000)
|
||||
if (offset + 4 > track->private_size)
|
||||
goto error;
|
||||
uint32_t codecdata_length = AV_RB32(src + offset);
|
||||
offset += 4;
|
||||
if (offset > track->private_size ||
|
||||
codecdata_length > track->private_size - offset)
|
||||
goto error;
|
||||
src += 4;
|
||||
extradata_len = codecdata_length;
|
||||
extradata = src;
|
||||
extradata = src + offset;
|
||||
|
||||
if (!strcmp(track->codec_id, "A_REAL/ATRC")) {
|
||||
sh->codec = "atrac3";
|
||||
|
|
Loading…
Reference in New Issue