diff options
| author | rtogni <rtogni@b3059339-0415-0410-9bf9-f77b7e298cf2> | 2008-01-06 14:30:25 +0000 |
|---|---|---|
| committer | rtogni <rtogni@b3059339-0415-0410-9bf9-f77b7e298cf2> | 2008-01-06 14:30:25 +0000 |
| commit | 2bc03fd010f18df0be4d2aeae4b461c47f807180 (patch) | |
| tree | bc63368efab1772a20aea71da7c90e5ee19d190e /libmpdemux | |
| parent | b9a788edaaa96c65eb637fa4b09fd5ab41b1e9fb (diff) | |
| download | mpv-2bc03fd010f18df0be4d2aeae4b461c47f807180.tar.bz2 mpv-2bc03fd010f18df0be4d2aeae4b461c47f807180.tar.xz | |
Don't overread audio data
git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@25628 b3059339-0415-0410-9bf9-f77b7e298cf2
Diffstat (limited to 'libmpdemux')
| -rw-r--r-- | libmpdemux/demux_real.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/libmpdemux/demux_real.c b/libmpdemux/demux_real.c index a2e4fb3cef..fe7877e14f 100644 --- a/libmpdemux/demux_real.c +++ b/libmpdemux/demux_real.c @@ -666,12 +666,19 @@ got_audio: #endif if (((sh_audio_t *)ds->sh)->format == mmioFOURCC('M', 'P', '4', 'A')) { uint16_t sub_packet_lengths[16], sub_packets, i; + int totlen = 0; /* AAC in Real: several AAC frames in one Real packet. */ /* Second byte, upper four bits: number of AAC frames */ /* next n * 2 bytes: length of the AAC frames in bytes, BE */ + if (len < 2) + goto discard; sub_packets = (stream_read_word(demuxer->stream) & 0xf0) >> 4; + if (len < 2 * sub_packets) + goto discard; for (i = 0; i < sub_packets; i++) - sub_packet_lengths[i] = stream_read_word(demuxer->stream); + totlen += sub_packet_lengths[i] = stream_read_word(demuxer->stream); + if (len < totlen ) + goto discard; for (i = 0; i < sub_packets; i++) { demux_packet_t *dp = new_demux_packet(sub_packet_lengths[i]); stream_read(demuxer->stream, dp->buffer, sub_packet_lengths[i]); @@ -693,15 +700,21 @@ got_audio: spc = priv->sub_packet_cnt; switch (priv->intl_id[stream_id]) { case mmioFOURCC('I', 'n', 't', '4'): + if (len < cfs * sph/2) + goto discard; for (x = 0; x < sph / 2; x++) stream_read(demuxer->stream, priv->audio_buf + x * 2 * w + spc * cfs, cfs); break; case mmioFOURCC('g', 'e', 'n', 'r'): + if (len < w) + goto discard; for (x = 0; x < w / sps; x++) stream_read(demuxer->stream, priv->audio_buf + sps * (sph * x + ((sph + 1) / 2) * (spc & 1) + (spc >> 1)), sps); break; case mmioFOURCC('s', 'i', 'p', 'r'): + if (len < w) + goto discard; stream_read(demuxer->stream, priv->audio_buf + spc * w, w); if (spc == sph - 1) { int n; |