[FFmpeg-cvslog] thpdemux: Check that packed sizes are within the files data size and filesize.

Michael Niedermayer git at videolan.org
Fri Dec 16 06:25:16 CET 2011


ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Fri Dec 16 05:35:04 2011 +0100| [482ee63641f4fa50f017538af384aadbceee7a18] | committer: Michael Niedermayer

thpdemux: Check that packed sizes are within the files data size and filesize.
Fixes Ticket774
Bug found by: Diana Elena Muscalu

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=482ee63641f4fa50f017538af384aadbceee7a18
---

 libavformat/thp.c |   19 ++++++++++++++++---
 1 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/libavformat/thp.c b/libavformat/thp.c
index cd50917..7c3a1cd 100644
--- a/libavformat/thp.c
+++ b/libavformat/thp.c
@@ -26,6 +26,7 @@
 
 typedef struct ThpDemuxContext {
     int              version;
+    unsigned         data_size;
     int              first_frame;
     int              first_framesz;
     int              last_frame;
@@ -41,7 +42,7 @@ typedef struct ThpDemuxContext {
     unsigned char    components[16];
     AVStream*        vst;
     int              has_audio;
-    int              audiosize;
+    unsigned         audiosize;
 } ThpDemuxContext;
 
 
@@ -60,6 +61,7 @@ static int thp_read_header(AVFormatContext *s,
     ThpDemuxContext *thp = s->priv_data;
     AVStream *st;
     AVIOContext *pb = s->pb;
+    int64_t fsize= avio_size(pb);
     int i;
 
     /* Read the file header.  */
@@ -72,7 +74,9 @@ static int thp_read_header(AVFormatContext *s,
     thp->fps             = av_d2q(av_int2float(avio_rb32(pb)), INT_MAX);
     thp->framecnt        = avio_rb32(pb);
     thp->first_framesz   = avio_rb32(pb);
-                           avio_rb32(pb); /* Data size.  */
+    thp->data_size       = avio_rb32(pb);
+    if(fsize>0 && (!thp->data_size || fsize < thp->data_size))
+        thp->data_size= fsize;
 
     thp->compoff         = avio_rb32(pb);
                            avio_rb32(pb); /* offsetDataOffset.  */
@@ -143,7 +147,7 @@ static int thp_read_packet(AVFormatContext *s,
 {
     ThpDemuxContext *thp = s->priv_data;
     AVIOContext *pb = s->pb;
-    int size;
+    unsigned int size;
     int ret;
 
     if (thp->audiosize == 0) {
@@ -159,6 +163,10 @@ static int thp_read_packet(AVFormatContext *s,
 
                         avio_rb32(pb); /* Previous total size.  */
         size          = avio_rb32(pb); /* Total size of this frame.  */
+        if(thp->data_size && avio_tell(pb) + size > thp->data_size) {
+            av_log(s, AV_LOG_ERROR, "Video packet truncated\n");
+            size= thp->data_size - avio_tell(pb);
+        }
 
         /* Store the audiosize so the next time this function is called,
            the audio can be read.  */
@@ -175,6 +183,11 @@ static int thp_read_packet(AVFormatContext *s,
 
         pkt->stream_index = thp->video_stream_index;
     } else {
+        if(thp->data_size && avio_tell(pb) + thp->audiosize > thp->data_size){
+            av_log(s, AV_LOG_ERROR, "Audio packet truncated\n");
+            thp->audiosize= thp->data_size - avio_tell(pb);
+        }
+
         ret = av_get_packet(pb, pkt, thp->audiosize);
         if (ret != thp->audiosize) {
             av_free_packet(pkt);



More information about the ffmpeg-cvslog mailing list