diff options
author | wm4 <wm4@nowhere> | 2014-11-21 05:07:13 +0100 |
---|---|---|
committer | wm4 <wm4@nowhere> | 2014-11-21 05:17:52 +0100 |
commit | 550c16fe9dc3e6e6bf199ff756c581855513f1c5 (patch) | |
tree | 7e677b0612d610f6f65c5046750463548a5e479b /demux/demux_mkv.c | |
parent | 3df8e64ec0aa7a4b70ed0f00aeaec46bb4f34db6 (diff) | |
download | mpv-550c16fe9dc3e6e6bf199ff756c581855513f1c5.tar.bz2 mpv-550c16fe9dc3e6e6bf199ff756c581855513f1c5.tar.xz |
demux_mkv: fix possible real-audio out of bounds accesses
Could index static arrays from arbitrary input data without checking for
bounds.
Found by Coverity.
Diffstat (limited to 'demux/demux_mkv.c')
-rw-r--r-- | demux/demux_mkv.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/demux/demux_mkv.c b/demux/demux_mkv.c index 5edacfd946..fc1d77594c 100644 --- a/demux/demux_mkv.c +++ b/demux/demux_mkv.c @@ -1471,7 +1471,7 @@ static int demux_mkv_open_audio(demuxer_t *demuxer, mkv_track_t *track) /* Common initialization for all RealAudio codecs */ unsigned char *src = track->private_data; int codecdata_length, version; - int flavor; + unsigned int flavor; sh_a->bitrate = 0; /* FIXME !? */ @@ -1507,14 +1507,20 @@ static int demux_mkv_open_audio(demuxer_t *demuxer, mkv_track_t *track) switch (track->a_formattag) { case MP_FOURCC('a', 't', 'r', 'c'): + if (flavor >= MP_ARRAY_SIZE(atrc_fl2bps)) + goto error; sh_a->bitrate = atrc_fl2bps[flavor] * 8; sh_a->block_align = track->sub_packet_size; goto audiobuf; case MP_FOURCC('c', 'o', 'o', 'k'): + if (flavor >= MP_ARRAY_SIZE(cook_fl2bps)) + goto error; sh_a->bitrate = cook_fl2bps[flavor] * 8; sh_a->block_align = track->sub_packet_size; goto audiobuf; case MP_FOURCC('s', 'i', 'p', 'r'): + if (flavor >= MP_ARRAY_SIZE(sipr_fl2bps)) + goto error; sh_a->bitrate = sipr_fl2bps[flavor] * 8; sh_a->block_align = track->coded_framesize; goto audiobuf; |