Do not read data past the end of the SSND chunk in the AIFF demuxer.
Fixes Issue 1455. Originally committed as revision 20219 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Justin Ruggles
parent
dd9d5a1ef8
commit
24c6f152c4
@ -46,6 +46,10 @@ static const AVCodecTag codec_aiff_tags[] = {
|
|||||||
#define AIFF 0
|
#define AIFF 0
|
||||||
#define AIFF_C_VERSION1 0xA2805140
|
#define AIFF_C_VERSION1 0xA2805140
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
int64_t data_end;
|
||||||
|
} AIFFInputContext;
|
||||||
|
|
||||||
static enum CodecID aiff_codec_get_id(int bps)
|
static enum CodecID aiff_codec_get_id(int bps)
|
||||||
{
|
{
|
||||||
if (bps <= 8)
|
if (bps <= 8)
|
||||||
@ -314,6 +318,7 @@ static int aiff_read_header(AVFormatContext *s,
|
|||||||
unsigned version = AIFF_C_VERSION1;
|
unsigned version = AIFF_C_VERSION1;
|
||||||
ByteIOContext *pb = s->pb;
|
ByteIOContext *pb = s->pb;
|
||||||
AVStream * st;
|
AVStream * st;
|
||||||
|
AIFFInputContext *aiff = s->priv_data;
|
||||||
|
|
||||||
/* check FORM header */
|
/* check FORM header */
|
||||||
filesize = get_tag(pb, &tag);
|
filesize = get_tag(pb, &tag);
|
||||||
@ -366,6 +371,7 @@ static int aiff_read_header(AVFormatContext *s,
|
|||||||
get_meta(s, "comment" , size);
|
get_meta(s, "comment" , size);
|
||||||
break;
|
break;
|
||||||
case MKTAG('S', 'S', 'N', 'D'): /* Sampled sound chunk */
|
case MKTAG('S', 'S', 'N', 'D'): /* Sampled sound chunk */
|
||||||
|
aiff->data_end = url_ftell(pb) + size;
|
||||||
offset = get_be32(pb); /* Offset of sound data */
|
offset = get_be32(pb); /* Offset of sound data */
|
||||||
get_be32(pb); /* BlockSize... don't care */
|
get_be32(pb); /* BlockSize... don't care */
|
||||||
offset += url_ftell(pb); /* Compute absolute data offset */
|
offset += url_ftell(pb); /* Compute absolute data offset */
|
||||||
@ -420,10 +426,18 @@ static int aiff_read_packet(AVFormatContext *s,
|
|||||||
AVPacket *pkt)
|
AVPacket *pkt)
|
||||||
{
|
{
|
||||||
AVStream *st = s->streams[0];
|
AVStream *st = s->streams[0];
|
||||||
|
AIFFInputContext *aiff = s->priv_data;
|
||||||
|
int64_t max_size;
|
||||||
int res;
|
int res;
|
||||||
|
|
||||||
|
/* calculate size of remaining data */
|
||||||
|
max_size = aiff->data_end - url_ftell(s->pb);
|
||||||
|
if (max_size <= 0)
|
||||||
|
return AVERROR_EOF;
|
||||||
|
|
||||||
/* Now for that packet */
|
/* Now for that packet */
|
||||||
res = av_get_packet(s->pb, pkt, (MAX_SIZE / st->codec->block_align) * st->codec->block_align);
|
max_size = FFMIN(max_size, (MAX_SIZE / st->codec->block_align) * st->codec->block_align);
|
||||||
|
res = av_get_packet(s->pb, pkt, max_size);
|
||||||
if (res < 0)
|
if (res < 0)
|
||||||
return res;
|
return res;
|
||||||
|
|
||||||
@ -436,7 +450,7 @@ static int aiff_read_packet(AVFormatContext *s,
|
|||||||
AVInputFormat aiff_demuxer = {
|
AVInputFormat aiff_demuxer = {
|
||||||
"aiff",
|
"aiff",
|
||||||
NULL_IF_CONFIG_SMALL("Audio IFF"),
|
NULL_IF_CONFIG_SMALL("Audio IFF"),
|
||||||
0,
|
sizeof(AIFFInputContext),
|
||||||
aiff_probe,
|
aiff_probe,
|
||||||
aiff_read_header,
|
aiff_read_header,
|
||||||
aiff_read_packet,
|
aiff_read_packet,
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user