har0ke/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

thpdemux: Check that packed sizes are within the files data size and filesize.

Browse Source 
Fixes Ticket774
Bug found by: Diana Elena Muscalu

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2011-12-16 05:35:04 +01:00
parent e098fba5d9
commit 482ee63641
1 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
libavformat/thp.c
View File

@ -26,6 +26,7 @@
typedef struct ThpDemuxContext { typedef struct ThpDemuxContext {
int version; int version;
unsigned data_size;
int first_frame; int first_frame;
int first_framesz; int first_framesz;
int last_frame; int last_frame;
@ -41,7 +42,7 @@ typedef struct ThpDemuxContext {
unsigned char components[16]; unsigned char components[16];
AVStream* vst; AVStream* vst;
int has_audio; int has_audio;
int audiosize; unsigned audiosize;
} ThpDemuxContext; } ThpDemuxContext;
@ -60,6 +61,7 @@ static int thp_read_header(AVFormatContext *s,
ThpDemuxContext *thp = s->priv_data; ThpDemuxContext *thp = s->priv_data;
AVStream *st; AVStream *st;
AVIOContext *pb = s->pb; AVIOContext *pb = s->pb;
int64_t fsize= avio_size(pb);
int i; int i;
/* Read the file header. */ /* Read the file header. */
@ -72,7 +74,9 @@ static int thp_read_header(AVFormatContext *s,
thp->fps = av_d2q(av_int2float(avio_rb32(pb)), INT_MAX); thp->fps = av_d2q(av_int2float(avio_rb32(pb)), INT_MAX);
thp->framecnt = avio_rb32(pb); thp->framecnt = avio_rb32(pb);
thp->first_framesz = avio_rb32(pb); thp->first_framesz = avio_rb32(pb);
avio_rb32(pb); /* Data size. */ thp->data_size = avio_rb32(pb);
if(fsize>0 && (!thp->data_size || fsize < thp->data_size))
thp->data_size= fsize;
thp->compoff = avio_rb32(pb); thp->compoff = avio_rb32(pb);
avio_rb32(pb); /* offsetDataOffset. */ avio_rb32(pb); /* offsetDataOffset. */
@ -143,7 +147,7 @@ static int thp_read_packet(AVFormatContext *s,
{ {
ThpDemuxContext *thp = s->priv_data; ThpDemuxContext *thp = s->priv_data;
AVIOContext *pb = s->pb; AVIOContext *pb = s->pb;
int size; unsigned int size;
int ret; int ret;
if (thp->audiosize == 0) { if (thp->audiosize == 0) {
@ -159,6 +163,10 @@ static int thp_read_packet(AVFormatContext *s,
avio_rb32(pb); /* Previous total size. */ avio_rb32(pb); /* Previous total size. */
size = avio_rb32(pb); /* Total size of this frame. */ size = avio_rb32(pb); /* Total size of this frame. */
if(thp->data_size && avio_tell(pb) + size > thp->data_size) {
av_log(s, AV_LOG_ERROR, "Video packet truncated\n");
size= thp->data_size - avio_tell(pb);
}
/* Store the audiosize so the next time this function is called, /* Store the audiosize so the next time this function is called,
the audio can be read. */ the audio can be read. */
@ -175,6 +183,11 @@ static int thp_read_packet(AVFormatContext *s,
pkt->stream_index = thp->video_stream_index; pkt->stream_index = thp->video_stream_index;
} else { } else {
if(thp->data_size && avio_tell(pb) + thp->audiosize > thp->data_size){
av_log(s, AV_LOG_ERROR, "Audio packet truncated\n");
thp->audiosize= thp->data_size - avio_tell(pb);
}
ret = av_get_packet(pb, pkt, thp->audiosize); ret = av_get_packet(pb, pkt, thp->audiosize);
if (ret != thp->audiosize) { if (ret != thp->audiosize) {
av_free_packet(pkt); av_free_packet(pkt);