generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add checks to ff_split_xiph_headers to ensure that returned header_len and

Browse Source 
header_start values are always valid.
Fixes a crash with http://samples.mplayerhq.hu/ogg/mmw-deadzy.ogg
(still does not play though).

Originally committed as revision 12913 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Reimar Döffinger 2008-04-20 23:33:49 +00:00
parent 63d864434d
commit 58720ebd9e
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
libavcodec/xiph.c
View File

@ -26,20 +26,27 @@ int ff_split_xiph_headers(uint8_t *extradata, int extradata_size,
{ {
int i, j; int i, j;
if (AV_RB16(extradata) == first_header_size) { if (extradata_size >= 6 && AV_RB16(extradata) == first_header_size) {
int overall_len = 6;
for (i=0; i<3; i++) { for (i=0; i<3; i++) {
header_len[i] = AV_RB16(extradata); header_len[i] = AV_RB16(extradata);
extradata += 2; extradata += 2;
header_start[i] = extradata; header_start[i] = extradata;
extradata += header_len[i]; extradata += header_len[i];
if (overall_len > extradata_size - header_len[i])
return -1;
overall_len += header_len[i];
} }
} else if (extradata[0] == 2) { } else if (extradata_size >= 3 && extradata_size < INT_MAX - 0x1ff && extradata[0] == 2) {
int overall_len = 3;
for (i=0,j=1; i<2; i++,j++) { for (i=0,j=1; i<2; i++,j++) {
header_len[i] = 0; header_len[i] = 0;
for (; j<extradata_size && extradata[j]==0xff; j++) { for (; overall_len < extradata_size && extradata[j]==0xff; j++) {
header_len[i] += 0xff; header_len[i] += 0xff;
overall_len += 0xff + 1;
} }
if (j >= extradata_size) overall_len += extradata[j];
if (overall_len > extradata_size)
return -1; return -1;
header_len[i] += extradata[j]; header_len[i] += extradata[j];