Merge commit '42d73f7f6bea0ee0f64a3ad4882860ce5b923a11'

* commit '42d73f7f6bea0ee0f64a3ad4882860ce5b923a11': 4xm: do not overread while parsing header Conflicts: libavformat/4xm.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
2013-06-13 11:56:31 +02:00 · 2013-06-13 11:56:31 +02:00 · 4027e13663
parent 60657ee37a 42d73f7f6b
commit 4027e13663
1 changed files with 13 additions and 8 deletions
--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@ -90,11 +90,12 @@ static int fourxm_probe(AVProbeData *p)
 }

 static int parse_vtrk(AVFormatContext *s,
-                      FourxmDemuxContext *fourxm, uint8_t *buf, int size)
+                      FourxmDemuxContext *fourxm, uint8_t *buf, int size,
+                      int left)
 {
    AVStream *st;
    /* check that there is enough data */
-    if (size != vtrk_SIZE) {
+    if (size != vtrk_SIZE || left < size + 8) {
        return AVERROR_INVALIDDATA;
    }

@ -120,12 +121,13 @@ static int parse_vtrk(AVFormatContext *s,


 static int parse_strk(AVFormatContext *s,
-                      FourxmDemuxContext *fourxm, uint8_t *buf, int size)
+                      FourxmDemuxContext *fourxm, uint8_t *buf, int size,
+                      int left)
 {
    AVStream *st;
    int track;
    /* check that there is enough data */
-    if (size != strk_SIZE)
+    if (size != strk_SIZE || left < size + 8)
        return AVERROR_INVALIDDATA;

    track = AV_RL32(buf + 8);
@ -230,18 +232,21 @@ static int fourxm_read_header(AVFormatContext *s)
        }

        if (fourcc_tag == std__TAG) {
-            if (header_size < i + 16) {
+            if (header_size - i < 16) {
                av_log(s, AV_LOG_ERROR, "std TAG truncated\n");
-                return AVERROR_INVALIDDATA;
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
            }
            fourxm->fps = av_int2float(AV_RL32(&header[i + 12]));
        } else if (fourcc_tag == vtrk_TAG) {
-            if ((ret = parse_vtrk(s, fourxm, header + i, size)) < 0)
+            if ((ret = parse_vtrk(s, fourxm, header + i, size,
+                                  header_size - i)) < 0)
                goto fail;

            i += 8 + size;
        } else if (fourcc_tag == strk_TAG) {
-            if ((ret = parse_strk(s, fourxm, header + i, size)) < 0)
+            if ((ret = parse_strk(s, fourxm, header + i, size,
+                                  header_size - i)) < 0)
                goto fail;

            i += 8 + size;