diff options
author | reimar <reimar@b3059339-0415-0410-9bf9-f77b7e298cf2> | 2008-12-14 15:17:18 +0000 |
---|---|---|
committer | reimar <reimar@b3059339-0415-0410-9bf9-f77b7e298cf2> | 2008-12-14 15:17:18 +0000 |
commit | bac1f05b4da4339b487e4e6ab972819142b3f13e (patch) | |
tree | 7243e276fa0f4bff2955a6ea2a073b0adc21839e | |
parent | cc25ffb79264ca60a6dd8026ad24d1a4c259bbce (diff) | |
download | mpv-bac1f05b4da4339b487e4e6ab972819142b3f13e.tar.bz2 mpv-bac1f05b4da4339b487e4e6ab972819142b3f13e.tar.xz |
Add extra checks to avoid crashes with broken vqf files
git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@28149 b3059339-0415-0410-9bf9-f77b7e298cf2
-rw-r--r-- | libmpdemux/demux_vqf.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/libmpdemux/demux_vqf.c b/libmpdemux/demux_vqf.c index 3578803b66..3aefa02dd9 100644 --- a/libmpdemux/demux_vqf.c +++ b/libmpdemux/demux_vqf.c @@ -51,11 +51,14 @@ static demuxer_t* demux_open_vqf(demuxer_t* demuxer) { unsigned chunk_size; hi->size=chunk_size=stream_read_dword(s); /* include itself */ stream_read(s,chunk_id,4); + if (chunk_size < 8) return NULL; + chunk_size -= 8; if(AV_RL32(chunk_id)==mmioFOURCC('C','O','M','M')) { - char buf[chunk_size-8]; + char buf[BUFSIZ]; unsigned i,subchunk_size; - if(stream_read(s,buf,chunk_size-8)!=chunk_size-8) return NULL; + if (chunk_size > sizeof(buf) || chunk_size < 20) return NULL; + if(stream_read(s,buf,chunk_size)!=chunk_size) return NULL; i=0; subchunk_size = AV_RB32(buf); hi->channelMode = AV_RB32(buf + 4); @@ -84,13 +87,15 @@ static demuxer_t* demux_open_vqf(demuxer_t* demuxer) { sh_audio->samplesize = 4; w->wBitsPerSample = 8*sh_audio->samplesize; w->cbSize = 0; + if (subchunk_size > chunk_size - 4) continue; i+=subchunk_size+4; - while(i<chunk_size-8) + while(i + 8 < chunk_size) { unsigned slen,sid; - char sdata[chunk_size]; + char sdata[BUFSIZ]; sid = AV_RL32(buf + i); i+=4; slen = AV_RB32(buf + i); i+=4; + if (slen > sizeof(sdata) - 1 || slen > chunk_size - i) break; if(sid==mmioFOURCC('D','S','I','Z')) { hi->Dsiz=AV_RB32(buf + i); @@ -142,7 +147,7 @@ static demuxer_t* demux_open_vqf(demuxer_t* demuxer) { if(AV_RL32(chunk_id)==mmioFOURCC('D','A','T','A')) { demuxer->movi_start=stream_tell(s); - demuxer->movi_end=demuxer->movi_start+chunk_size-8; + demuxer->movi_end=demuxer->movi_start+chunk_size; mp_msg(MSGT_DEMUX, MSGL_V, "Found data at %"PRIX64" size %"PRIu64"\n",demuxer->movi_start,demuxer->movi_end); /* Done! play it */ break; @@ -150,7 +155,7 @@ static demuxer_t* demux_open_vqf(demuxer_t* demuxer) { else { mp_msg(MSGT_DEMUX, MSGL_V, "Unhandled chunk '%c%c%c%c' %u bytes\n",chunk_id[0],chunk_id[1],chunk_id[2],chunk_id[3],chunk_size); - stream_skip(s,chunk_size-8); /*unknown chunk type */ + stream_skip(s,chunk_size); /*unknown chunk type */ } } |