RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-01-30 19:34:43 +00:00
Code Issues Projects Releases Wiki Activity

Merge commit '42d73f7f6bea0ee0f64a3ad4882860ce5b923a11'

Browse Source 
* commit '42d73f7f6bea0ee0f64a3ad4882860ce5b923a11':
  4xm: do not overread while parsing header

Conflicts:
	libavformat/4xm.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2013-06-13 11:56:31 +02:00
commit 4027e13663
1 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
libavformat/4xm.c
View File

@ -90,11 +90,12 @@ static int fourxm_probe(AVProbeData *p)
}
static int parse_vtrk(AVFormatContext *s,
FourxmDemuxContext *fourxm, uint8_t *buf, int size)
FourxmDemuxContext *fourxm, uint8_t *buf, int size,
int left)
{
AVStream *st;
/* check that there is enough data */
if (size != vtrk_SIZE) {
if (size != vtrk_SIZE || left < size + 8) {
return AVERROR_INVALIDDATA;
}
@ -120,12 +121,13 @@ static int parse_vtrk(AVFormatContext *s,
static int parse_strk(AVFormatContext *s,
FourxmDemuxContext *fourxm, uint8_t *buf, int size)
FourxmDemuxContext *fourxm, uint8_t *buf, int size,
int left)
{
AVStream *st;
int track;
/* check that there is enough data */
if (size != strk_SIZE)
if (size != strk_SIZE || left < size + 8)
return AVERROR_INVALIDDATA;
track = AV_RL32(buf + 8);
@ -230,18 +232,21 @@ static int fourxm_read_header(AVFormatContext *s)
}
if (fourcc_tag == std__TAG) {
if (header_size < i + 16) {
if (header_size - i < 16) {
av_log(s, AV_LOG_ERROR, "std TAG truncated\n");
return AVERROR_INVALIDDATA;
ret = AVERROR_INVALIDDATA;
goto fail;
}
fourxm->fps = av_int2float(AV_RL32(&header[i + 12]));
} else if (fourcc_tag == vtrk_TAG) {
if ((ret = parse_vtrk(s, fourxm, header + i, size)) < 0)
if ((ret = parse_vtrk(s, fourxm, header + i, size,
header_size - i)) < 0)
goto fail;
i += 8 + size;
} else if (fourcc_tag == strk_TAG) {
if ((ret = parse_strk(s, fourxm, header + i, size)) < 0)
if ((ret = parse_strk(s, fourxm, header + i, size,
header_size - i)) < 0)
goto fail;
i += 8 + size;