diff options
| author | wm4 <wm4@nowhere> | 2014-01-14 17:38:08 +0100 |
|---|---|---|
| committer | wm4 <wm4@nowhere> | 2014-01-14 17:38:08 +0100 |
| commit | ae27e13a0a0d0d69ca3e91ade710ded5208f4fc6 (patch) | |
| tree | 28e7f180e34f3b81cc030410918277fdc9e59fa5 /demux/ebml.c | |
| parent | b51713e8e7938978a675abf1bedc2ff2d9ae7319 (diff) | |
| download | mpv-ae27e13a0a0d0d69ca3e91ade710ded5208f4fc6.tar.bz2 mpv-ae27e13a0a0d0d69ca3e91ade710ded5208f4fc6.tar.xz | |
demux_mkv: avoid skipping too much data in corrupted files
Until now, corrupted files were detected if the size of an element (that
should be skipped) was larger than the remaining file. This still could
skip larger regions of the file itself if the broken size happened to be
within the file.
Change it so that it's never allowed to skip outside the parent's
element.
Diffstat (limited to 'demux/ebml.c')
| -rw-r--r-- | demux/ebml.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/demux/ebml.c b/demux/ebml.c index fbc9998602..c875ef564c 100644 --- a/demux/ebml.c +++ b/demux/ebml.c @@ -293,9 +293,10 @@ int ebml_resync_cluster(struct mp_log *log, stream_t *s) /* * Skip the current element, or on error, call ebml_resync_cluster(). + * end gives the maximum possible file pos (due to EBML parent element size). */ -int ebml_read_skip_or_resync_cluster(struct mp_log *log, stream_t *s, - uint64_t *length) +int ebml_read_skip_or_resync_cluster(struct mp_log *log, int64_t end, + stream_t *s) { uint64_t len; int l; @@ -304,11 +305,11 @@ int ebml_read_skip_or_resync_cluster(struct mp_log *log, stream_t *s, if (len == EBML_UINT_INVALID) goto resync; - if (length) - *length = len + l; - int64_t pos = stream_tell(s); + if (end >= 0 && pos + len > end) + goto resync; + // When reading corrupted elements, len will often be a random high number, // and stream_skip() will fail when skipping past EOF. if (!stream_skip(s, len)) { |