demux_mkv: fix a possible out of bounds access

The if branch has a weak check to test whether the codec_id is the short
ID, and handles the long IDs in the else branch. The long IDs are all
longer than 12 bytes long, so hardcoding the string offset to get the
trailing part of the name makes sense. But the if condition checks for
another thing, which could get the else branch run even if the codec_id
is short.

Fix the bogus control flow and check if the codec_id is long enough. One
of these checks could be considered redundant, but include them both for
defensive coding.
This commit is contained in:
wm4 2014-11-27 21:54:37 +01:00
parent 4a83f3df11
commit 4ea094ac7e
1 changed files with 8 additions and 6 deletions

View File

@ -1414,20 +1414,22 @@ static int demux_mkv_open_audio(demuxer_t *demuxer, mkv_track_t *track)
sh_a->bitrate = 16000 * 8;
sh_a->block_align = 1024;
if (!strcmp(track->codec_id, MKV_A_AAC) && track->private_data) {
if (!extradata_len) {
if (!strcmp(track->codec_id, MKV_A_AAC)) {
if (track->private_data && !extradata_len) {
extradata = track->private_data;
extradata_len = track->private_size;
}
} else {
/* Recreate the 'private data' */
/* which faad2 uses in its initialization */
srate_idx = aac_get_sample_rate_index(track->a_sfreq);
if (!strncmp(&track->codec_id[12], "MAIN", 4))
const char *tail = "";
if (strlen(track->codec_id) >= 12)
tail = &track->codec_id[12];
if (!strncmp(tail, "MAIN", 4))
profile = 0;
else if (!strncmp(&track->codec_id[12], "LC", 2))
else if (!strncmp(tail, "LC", 2))
profile = 1;
else if (!strncmp(&track->codec_id[12], "SSR", 3))
else if (!strncmp(tail, "SSR", 3))
profile = 2;
else
profile = 3;