diff options
author | Kacper Michajłow <kasper93@gmail.com> | 2024-01-28 04:21:12 +0100 |
---|---|---|
committer | Dudemanguy <random342@airmail.cc> | 2024-02-15 16:43:37 +0000 |
commit | f413e38e42e64fde91670726f727471359f41077 (patch) | |
tree | 648ff49f44baca78089900bed120296ef2041cbd | |
parent | 5e54a871c5e38225a3575c92196b1355f7744f1b (diff) | |
download | mpv-f413e38e42e64fde91670726f727471359f41077.tar.bz2 mpv-f413e38e42e64fde91670726f727471359f41077.tar.xz |
demux_mkv: don't return null bstr with size specified
Such bstr object are not valid. Also reject empty blocks.
Found by fuzzing.
-rw-r--r-- | demux/demux_mkv.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/demux/demux_mkv.c b/demux/demux_mkv.c index 50f4c78b25..5440c6af1e 100644 --- a/demux/demux_mkv.c +++ b/demux/demux_mkv.c @@ -406,6 +406,8 @@ static bstr demux_mkv_decode(struct mp_log *log, mkv_track_t *track, talloc_free(src); if (!size) dest = NULL; + if (!dest) + size = 0; return (bstr){dest, size}; } @@ -2072,6 +2074,8 @@ static void probe_x264_garbage(demuxer_t *demuxer) bstr sblock = {block->laces[0]->data, block->laces[0]->size}; bstr nblock = demux_mkv_decode(demuxer->log, track, sblock, 1); + if (!nblock.len) + continue; sh->codec->first_packet = new_demux_packet_from(nblock.start, nblock.len); talloc_steal(mkv_d, sh->codec->first_packet); @@ -2834,6 +2838,8 @@ static int handle_block(demuxer_t *demuxer, struct block_info *block_info) bstr block = {data->data, data->size}; bstr nblock = demux_mkv_decode(demuxer->log, track, block, 1); + if (!nblock.len) + break; if (block.start != nblock.start || block.len != nblock.len) { // (avoidable copy of the entire data) |