summaryrefslogtreecommitdiffstats
path: root/demux
diff options
context:
space:
mode:
authorwm4 <wm4@nowhere>2014-11-21 05:07:13 +0100
committerwm4 <wm4@nowhere>2014-11-21 05:17:52 +0100
commit550c16fe9dc3e6e6bf199ff756c581855513f1c5 (patch)
tree7e677b0612d610f6f65c5046750463548a5e479b /demux
parent3df8e64ec0aa7a4b70ed0f00aeaec46bb4f34db6 (diff)
downloadmpv-550c16fe9dc3e6e6bf199ff756c581855513f1c5.tar.bz2
mpv-550c16fe9dc3e6e6bf199ff756c581855513f1c5.tar.xz
demux_mkv: fix possible real-audio out of bounds accesses
Could index static arrays from arbitrary input data without checking for bounds. Found by Coverity.
Diffstat (limited to 'demux')
-rw-r--r--demux/demux_mkv.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/demux/demux_mkv.c b/demux/demux_mkv.c
index 5edacfd946..fc1d77594c 100644
--- a/demux/demux_mkv.c
+++ b/demux/demux_mkv.c
@@ -1471,7 +1471,7 @@ static int demux_mkv_open_audio(demuxer_t *demuxer, mkv_track_t *track)
/* Common initialization for all RealAudio codecs */
unsigned char *src = track->private_data;
int codecdata_length, version;
- int flavor;
+ unsigned int flavor;
sh_a->bitrate = 0; /* FIXME !? */
@@ -1507,14 +1507,20 @@ static int demux_mkv_open_audio(demuxer_t *demuxer, mkv_track_t *track)
switch (track->a_formattag) {
case MP_FOURCC('a', 't', 'r', 'c'):
+ if (flavor >= MP_ARRAY_SIZE(atrc_fl2bps))
+ goto error;
sh_a->bitrate = atrc_fl2bps[flavor] * 8;
sh_a->block_align = track->sub_packet_size;
goto audiobuf;
case MP_FOURCC('c', 'o', 'o', 'k'):
+ if (flavor >= MP_ARRAY_SIZE(cook_fl2bps))
+ goto error;
sh_a->bitrate = cook_fl2bps[flavor] * 8;
sh_a->block_align = track->sub_packet_size;
goto audiobuf;
case MP_FOURCC('s', 'i', 'p', 'r'):
+ if (flavor >= MP_ARRAY_SIZE(sipr_fl2bps))
+ goto error;
sh_a->bitrate = sipr_fl2bps[flavor] * 8;
sh_a->block_align = track->coded_framesize;
goto audiobuf;