diff options
author | wm4 <wm4@nowhere> | 2015-06-19 21:43:55 +0200 |
---|---|---|
committer | wm4 <wm4@nowhere> | 2015-06-19 21:43:55 +0200 |
commit | 8b44be54e7563b5f67e4ee1c5d4b20f32164c7b7 (patch) | |
tree | b4791dc8a4d887b91e3bbc6b1aa5b382c8dd0c4e | |
parent | fd557a0178ec64f03ec543eaf334209d7c2d08c5 (diff) | |
download | mpv-8b44be54e7563b5f67e4ee1c5d4b20f32164c7b7.tar.bz2 mpv-8b44be54e7563b5f67e4ee1c5d4b20f32164c7b7.tar.xz |
demux_mkv: stricter realaudio extradata handling
Verify memory accesses and such. The behavior should be equivalent.
(RealAudio causes pain for everyone even in its grave.)
-rw-r--r-- | demux/demux_mkv.c | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/demux/demux_mkv.c b/demux/demux_mkv.c index 773a8a288a..e4c93f93ed 100644 --- a/demux/demux_mkv.c +++ b/demux/demux_mkv.c @@ -1426,12 +1426,14 @@ static int demux_mkv_open_audio(demuxer_t *demuxer, mkv_track_t *track) track->sub_packet_h = AV_RB16(src + 40); sh_a->block_align = track->audiopk_size = AV_RB16(src + 42); track->sub_packet_size = AV_RB16(src + 44); + int offset = 0; if (version == 4) { - src += RAPROPERTIES4_SIZE; - src += src[0] + 1; - src += src[0] + 1; + offset += RAPROPERTIES4_SIZE; + if (offset + 1 > track->private_size) + goto error; + offset += (src[offset] + 1) * 2 + 3; } else { - src += RAPROPERTIES5_SIZE; + offset += RAPROPERTIES5_SIZE + 3 + (version == 5 ? 1 : 0); } if (track->audiopk_size == 0 || track->sub_packet_size == 0 || @@ -1440,15 +1442,15 @@ static int demux_mkv_open_audio(demuxer_t *demuxer, mkv_track_t *track) if (track->coded_framesize > 0x40000000) goto error; - src += 3; - if (version == 5) - src++; - uint32_t codecdata_length = AV_RB32(src); - if (codecdata_length > 0x1000000) + if (offset + 4 > track->private_size) + goto error; + uint32_t codecdata_length = AV_RB32(src + offset); + offset += 4; + if (offset > track->private_size || + codecdata_length > track->private_size - offset) goto error; - src += 4; extradata_len = codecdata_length; - extradata = src; + extradata = src + offset; if (!strcmp(track->codec_id, "A_REAL/ATRC")) { sh->codec = "atrac3"; |