From b72ebc6fb8bc52666cb40bdbb38478466628df48 Mon Sep 17 00:00:00 2001
From: reimar <reimar@b3059339-0415-0410-9bf9-f77b7e298cf2>
Date: Tue, 11 Apr 2006 10:43:20 +0000
Subject: check wav header length against upper limit, should protect against
 some misdetections (esp. with text files).

git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@18075 b3059339-0415-0410-9bf9-f77b7e298cf2
---
 libmpdemux/demux_audio.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'libmpdemux/demux_audio.c')

diff --git a/libmpdemux/demux_audio.c b/libmpdemux/demux_audio.c
index e6457228b7..de9dd87bd9 100644
--- a/libmpdemux/demux_audio.c
+++ b/libmpdemux/demux_audio.c
@@ -27,6 +27,9 @@ typedef struct da_priv {
   float last_pts;
 } da_priv_t;
 
+//! rather arbitrary value for maximum length of wav-format headers
+#define MAX_WAVHDR_LEN (1 * 1024 * 1024)
+
 // how many valid frames in a row we need before accepting as valid MP3
 #define MIN_MP3_HDRS 5
 
@@ -412,6 +415,11 @@ static int demux_audio_open(demuxer_t* demuxer) {
       free_sh_audio(sh_audio);
       return 0;
     }
+    if(l > MAX_WAVHDR_LEN) {
+      mp_msg(MSGT_DEMUX,MSGL_ERR,"[demux_audio] Bad wav header length: too long (%d)!!!\n",l);
+      free_sh_audio(sh_audio);
+      return 0;
+    }
     sh_audio->wf = w = (WAVEFORMATEX*)malloc(l > sizeof(WAVEFORMATEX) ? l : sizeof(WAVEFORMATEX));
     w->wFormatTag = sh_audio->format = stream_read_word_le(s);
     w->nChannels = sh_audio->channels = stream_read_word_le(s);
-- 
cgit v1.2.3