[FFmpeg-cvslog] r12241 - trunk/libavformat/mov.c

Michael Niedermayer michaelni
Wed Feb 27 00:30:18 CET 2008 

On Tue, Feb 26, 2008 at 07:21:58PM +0100, bcoudurier wrote:
> Author: bcoudurier
> Date: Tue Feb 26 19:21:58 2008
> New Revision: 12241
> 
> Log:
> support mov reference files, ref.mov/ref.m2v/ref.wav and detect BrianCox.mov
[...]
> +static int mov_read_dref(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
> +{
> +    AVStream *st = c->fc->streams[c->fc->nb_streams-1];
> +    MOVStreamContext *sc = st->priv_data;
> +    int entries, i, j;
> +
> +    get_be32(pb); // version + flags
> +    entries = get_be32(pb);
> +    if (entries >= UINT_MAX / sizeof(*sc->drefs))
> +        return -1;
> +    sc->drefs_count = entries;
> +    sc->drefs = av_mallocz(entries * sizeof(*sc->drefs));
> +
> +    for (i = 0; i < sc->drefs_count; i++) {
> +        MOV_dref_t *dref = &sc->drefs[i];
> +        uint32_t size = get_be32(pb);
> +        offset_t next = url_ftell(pb) + size - 4;
> +
> +        dref->type = get_le32(pb);
> +        get_be32(pb); // version + flags
> +        dprintf(c->fc, "type %.4s size %d\n", (char*)&dref->type, size);
> +
> +        if (dref->type == MKTAG('a','l','i','s') && size > 150) {
> +            /* macintosh alias record */
> +            uint16_t volume_len, len;
> +            char volume[28];
> +            int16_t type;
> +
> +            url_fskip(pb, 10);
> +
> +            volume_len = get_byte(pb);
> +            volume_len = FFMIN(volume_len, 27);
> +            get_buffer(pb, volume, 27);
> +            volume[volume_len] = 0;
> +            av_log(c->fc, AV_LOG_DEBUG, "volume %s, len %d\n", volume, volume_len);
> +
> +            url_fskip(pb, 112);
> +
> +            for (type = 0; type != -1 && url_ftell(pb) < next; ) {
> +                type = get_be16(pb);
> +                len = get_be16(pb);
> +                av_log(c->fc, AV_LOG_DEBUG, "type %d, len %d\n", type, len);
> +                if (len&1)
> +                    len += 1;
> +                if (type == 2) { // absolute path
> +                    dref->path = av_mallocz(len+1);
> +                    get_buffer(pb, dref->path, len);
> +                    if (!strncmp(dref->path, volume, volume_len)) {
> +                        len -= volume_len;
> +                        memmove(dref->path, dref->path+volume_len, len);

Lets assume the first byte of dref->path and volume are 0
len=2
volume_len=27
then memmove() will be executed with a len of 65511 which is larger then the
array


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Everything should be made as simple as possible, but not simpler.
-- Albert Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/attachments/20080227/68348a27/attachment.pgp>

More information about the ffmpeg-cvslog mailing list