[FFmpeg-cvslog] oma: Fix out of array read.

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Sat Dec  3 05:27:04 2011 +0100| [a930cd0d195ea1c33b6b97b3f3f60703f899e739] | committer: Michael Niedermayer

oma: Fix out of array read.

Input: 01-Untitled-partial.oma
ZZUF params: zzuf[s=7157,r=0.001]

Bug-found-by: darkshikari
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a930cd0d195ea1c33b6b97b3f3f60703f899e739
---

 libavformat/oma.c |    9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/libavformat/oma.c b/libavformat/oma.c
index 79aae45..2fc6cfc 100644
--- a/libavformat/oma.c
+++ b/libavformat/oma.c
@@ -156,7 +156,7 @@ static int rprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *r_val)
     return memcmp(&enc_header[pos], oc->sm_val, 8) ? -1 : 0;
 }
 
-static int nprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *n_val)
+static int nprobe(AVFormatContext *s, uint8_t *enc_header, int size, const uint8_t *n_val)
 {
     OMAContext *oc = s->priv_data;
     uint32_t pos, taglen, datalen;
@@ -175,6 +175,9 @@ static int nprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *n_val)
     taglen = AV_RB32(&enc_header[pos+32]);
     datalen = AV_RB32(&enc_header[pos+36]) >> 4;
 
+    if(taglen + (((uint64_t)datalen)<<4) + 44 > size)
+        return -1;
+
     pos += 44 + taglen;
 
     av_des_init(&av_des, n_val, 192, 1);
@@ -245,14 +248,14 @@ static int decrypt_init(AVFormatContext *s, ID3v2ExtraMeta *em, uint8_t *header)
     }
     if (!memcmp(oc->r_val, (const uint8_t[8]){0}, 8) ||
         rprobe(s, gdata, oc->r_val) < 0 &&
-        nprobe(s, gdata, oc->n_val) < 0) {
+        nprobe(s, gdata, geob->datasize, oc->n_val) < 0) {
         int i;
         for (i = 0; i < sizeof(leaf_table); i += 2) {
             uint8_t buf[16];
             AV_WL64(buf, leaf_table[i]);
             AV_WL64(&buf[8], leaf_table[i+1]);
             kset(s, buf, buf, 16);
-            if (!rprobe(s, gdata, oc->r_val) || !nprobe(s, gdata, oc->n_val))
+            if (!rprobe(s, gdata, oc->r_val) || !nprobe(s, gdata, geob->datasize, oc->n_val))
                 break;
         }
         if (i >= sizeof(leaf_table)) {