RepoMirrors/mpv
1
0
Fork 0
mirror of https://github.com/mpv-player/mpv synced 2025-04-11 04:01:31 +00:00
Code Issues Releases Wiki Activity

demux_mkv: verify laces separately, and in all cases

Browse Source
This commit is contained in:
wm4 2013-04-13 19:17:16 +02:00
parent 1d6558d9c8
commit 59eaa8ed7e
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
demux/demux_mkv.c
View File

@ -1824,8 +1824,6 @@ static int demux_mkv_read_block_lacing(bstr *buffer, int *laces,
goto error; goto error;
lace_size[i] += t; lace_size[i] += t;
} while (t == 0xFF); } while (t == 0xFF);
if (lace_size[i] > buffer->len - total || total > buffer->len)
goto error;
total += lace_size[i]; total += lace_size[i];
} }
lace_size[i] = buffer->len - total; lace_size[i] = buffer->len - total;
@ -1849,14 +1847,22 @@ static int demux_mkv_read_block_lacing(bstr *buffer, int *laces,
if (snum == EBML_INT_INVALID) if (snum == EBML_INT_INVALID)
goto error; goto error;
lace_size[i] = lace_size[i - 1] + snum; lace_size[i] = lace_size[i - 1] + snum;
if (lace_size[i] > buffer->len - total || total > buffer->len)
goto error;
total += lace_size[i]; total += lace_size[i];
} }
lace_size[i] = buffer->len - total; lace_size[i] = buffer->len - total;
break; break;
} }
} }
total = buffer->len;
for (i = 0; i < *laces; i++) {
if (lace_size[i] > total)
goto error;
total -= lace_size[i];
}
if (total != 0)
goto error;
return 0; return 0;
error: error: