thpdemux: Check that packed sizes are within the files data size and filesize.
Fixes Ticket774 Bug found by: Diana Elena Muscalu Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer
@@ -26,6 +26,7 @@
|
|||||||
|
|
||||||
typedef struct ThpDemuxContext {
|
typedef struct ThpDemuxContext {
|
||||||
int version;
|
int version;
|
||||||
|
unsigned data_size;
|
||||||
int first_frame;
|
int first_frame;
|
||||||
int first_framesz;
|
int first_framesz;
|
||||||
int last_frame;
|
int last_frame;
|
||||||
@@ -41,7 +42,7 @@ typedef struct ThpDemuxContext {
|
|||||||
unsigned char components[16];
|
unsigned char components[16];
|
||||||
AVStream* vst;
|
AVStream* vst;
|
||||||
int has_audio;
|
int has_audio;
|
||||||
int audiosize;
|
unsigned audiosize;
|
||||||
} ThpDemuxContext;
|
} ThpDemuxContext;
|
||||||
|
|
||||||
|
|
||||||
@@ -60,6 +61,7 @@ static int thp_read_header(AVFormatContext *s,
|
|||||||
ThpDemuxContext *thp = s->priv_data;
|
ThpDemuxContext *thp = s->priv_data;
|
||||||
AVStream *st;
|
AVStream *st;
|
||||||
AVIOContext *pb = s->pb;
|
AVIOContext *pb = s->pb;
|
||||||
|
int64_t fsize= avio_size(pb);
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
/* Read the file header. */
|
/* Read the file header. */
|
||||||
@@ -72,7 +74,9 @@ static int thp_read_header(AVFormatContext *s,
|
|||||||
thp->fps = av_d2q(av_int2float(avio_rb32(pb)), INT_MAX);
|
thp->fps = av_d2q(av_int2float(avio_rb32(pb)), INT_MAX);
|
||||||
thp->framecnt = avio_rb32(pb);
|
thp->framecnt = avio_rb32(pb);
|
||||||
thp->first_framesz = avio_rb32(pb);
|
thp->first_framesz = avio_rb32(pb);
|
||||||
avio_rb32(pb); /* Data size. */
|
thp->data_size = avio_rb32(pb);
|
||||||
|
if(fsize>0 && (!thp->data_size || fsize < thp->data_size))
|
||||||
|
thp->data_size= fsize;
|
||||||
|
|
||||||
thp->compoff = avio_rb32(pb);
|
thp->compoff = avio_rb32(pb);
|
||||||
avio_rb32(pb); /* offsetDataOffset. */
|
avio_rb32(pb); /* offsetDataOffset. */
|
||||||
@@ -143,7 +147,7 @@ static int thp_read_packet(AVFormatContext *s,
|
|||||||
{
|
{
|
||||||
ThpDemuxContext *thp = s->priv_data;
|
ThpDemuxContext *thp = s->priv_data;
|
||||||
AVIOContext *pb = s->pb;
|
AVIOContext *pb = s->pb;
|
||||||
int size;
|
unsigned int size;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
if (thp->audiosize == 0) {
|
if (thp->audiosize == 0) {
|
||||||
@@ -159,6 +163,10 @@ static int thp_read_packet(AVFormatContext *s,
|
|||||||
|
|
||||||
avio_rb32(pb); /* Previous total size. */
|
avio_rb32(pb); /* Previous total size. */
|
||||||
size = avio_rb32(pb); /* Total size of this frame. */
|
size = avio_rb32(pb); /* Total size of this frame. */
|
||||||
|
if(thp->data_size && avio_tell(pb) + size > thp->data_size) {
|
||||||
|
av_log(s, AV_LOG_ERROR, "Video packet truncated\n");
|
||||||
|
size= thp->data_size - avio_tell(pb);
|
||||||
|
}
|
||||||
|
|
||||||
/* Store the audiosize so the next time this function is called,
|
/* Store the audiosize so the next time this function is called,
|
||||||
the audio can be read. */
|
the audio can be read. */
|
||||||
@@ -175,6 +183,11 @@ static int thp_read_packet(AVFormatContext *s,
|
|||||||
|
|
||||||
pkt->stream_index = thp->video_stream_index;
|
pkt->stream_index = thp->video_stream_index;
|
||||||
} else {
|
} else {
|
||||||
|
if(thp->data_size && avio_tell(pb) + thp->audiosize > thp->data_size){
|
||||||
|
av_log(s, AV_LOG_ERROR, "Audio packet truncated\n");
|
||||||
|
thp->audiosize= thp->data_size - avio_tell(pb);
|
||||||
|
}
|
||||||
|
|
||||||
ret = av_get_packet(pb, pkt, thp->audiosize);
|
ret = av_get_packet(pb, pkt, thp->audiosize);
|
||||||
if (ret != thp->audiosize) {
|
if (ret != thp->audiosize) {
|
||||||
av_free_packet(pkt);
|
av_free_packet(pkt);
|
||||||
|
|||||||
Reference in New Issue
Block a user