[FFmpeg-devel] [PATCH 3/3] LucasArts SMUSH demuxer

Michael Niedermayer michaelni at gmx.at
Sun Jun 17 15:01:47 CEST 2012


On Thu, Jun 14, 2012 at 12:47:04AM +0000, Paul B Mahol wrote:
[...]
> +static av_cold int read_ainfo1(AVIOContext *pb, smush_ainfo *ainfo)
> +{
> +    uint32_t sig, size, chunk_size, read = 0;
> +    int got_wave = 0;
> +
> +    sig = avio_rb32(pb);
> +    if (sig != MKBETAG('F', 'L', 'H', 'D'))
> +        return AVERROR_INVALIDDATA;
> +

> +    size = avio_rb32(pb);
> +    while (!got_wave && ((read + 8) < size)) {
> +        sig        = avio_rb32(pb);
> +        chunk_size = avio_rb32(pb);
> +
> +        read += 8;
> +        switch (sig) {
> +        case MKBETAG('W', 'a', 'v', 'e'):
> +            got_wave         = 1;
> +            ainfo->freq      = avio_rl32(pb);
> +            ainfo->nchannels = avio_rl32(pb);
> +            avio_skip(pb, chunk_size - 8);
> +            read += chunk_size;
> +            break;
> +        case MKBETAG('B', 'l', '1', '6'):
> +        case MKBETAG('A', 'N', 'N', 'O'):
> +            avio_skip(pb, chunk_size);
> +            read += chunk_size;
> +            break;
> +        }
> +    }

possible infinite loop with size = 0xFFFFFFFF, and no
'W', 'a', 'v', 'e' b before EOF


> +
> +    avio_skip(pb, size - read);

size < read would cause a large forward skip

[...]

> +        vstream->codec->extradata = av_malloc(1024 + 2);

missing FF_INPUT_BUFFER_PADDING_SIZE

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

No great genius has ever existed without some touch of madness. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20120617/80b60e5d/attachment.asc>


More information about the ffmpeg-devel mailing list