[FFmpeg-soc] [soc]: r5901 - mms/mmsh.c
spyfeng
subversion at mplayerhq.hu
Thu Aug 12 18:52:39 CEST 2010
Author: spyfeng
Date: Thu Aug 12 18:52:39 2010
New Revision: 5901
Log:
check buffer size when call url_read_complete() in case of overwrite.
Modified:
mms/mmsh.c
Modified: mms/mmsh.c
==============================================================================
--- mms/mmsh.c Thu Aug 12 18:23:21 2010 (r5900)
+++ mms/mmsh.c Thu Aug 12 18:52:39 2010 (r5901)
@@ -92,7 +92,7 @@ static int get_chunk_header(MMSHContext
int chunk_type;
int chunk_len, res, ext_header_len;
- res = url_read(mms->mms_hd, chunk_header, CHUNK_HEADER_LENGTH);
+ res = url_read_complete(mms->mms_hd, chunk_header, CHUNK_HEADER_LENGTH);
if (res != CHUNK_HEADER_LENGTH) {
av_log(NULL, AV_LOG_ERROR, "read data packet header failed!\n");
return AVERROR(EIO);
@@ -114,7 +114,12 @@ static int get_chunk_header(MMSHContext
return AVERROR_INVALIDDATA;
}
- res = url_read(mms->mms_hd, ext_header, ext_header_len);
+ if (ext_header_len > EXT_HEADER_LENGTH) {
+ av_log(NULL, AV_LOG_ERROR, "ext_header_len = %d exceed the buffer size %d\n",
+ ext_header_len, EXT_HEADER_LENGTH);
+ return AVERROR_INVALIDDATA;
+ }
+ res = url_read_complete(mms->mms_hd, ext_header, ext_header_len);
if (res != ext_header_len) {
av_log(NULL, AV_LOG_ERROR, "read ext header failed!\n");
return AVERROR(EIO);
@@ -129,6 +134,11 @@ static int read_data_packet(MMSHContext
{
MMSContext *mms = &mmsh->mms;
int res, pad_size = 0;
+ if (len > sizeof(mms->in_buffer)) {
+ av_log(NULL, AV_LOG_ERROR, "data packet len = %d exceed the in_buffer size %d\n",
+ len, sizeof(mms->in_buffer));
+ return AVERROR_IO;
+ }
res = url_read_complete(mms->mms_hd, mms->in_buffer, len);
dprintf(NULL, "data packet len = %d\n", len);
if (res != len) {
@@ -173,6 +183,12 @@ static int get_http_header_data(MMSHCont
if (!mms->asf_header) {
return AVERROR(ENOMEM);
}
+ mms->asf_header_size = len;
+ }
+ if (len > mms->asf_header_size) {
+ av_log(NULL, AV_LOG_ERROR, "asf header packet len = %d exceed the asf header buf size %d\n",
+ len, mms->asf_header_size);
+ return AVERROR_IO;
}
res = url_read_complete(mms->mms_hd, mms->asf_header, len);
if (res != len) {
@@ -191,6 +207,11 @@ static int get_http_header_data(MMSHCont
break;
} else {
if (len) {
+ if (len > sizeof(mms->in_buffer)) {
+ av_log(NULL, AV_LOG_ERROR, "other packet len = %d exceed the in_buffer size %d\n",
+ len, sizeof(mms->in_buffer));
+ return AVERROR_IO;
+ }
res = url_read_complete(mms->mms_hd, mms->in_buffer, len);
if (res != len) {
av_log(NULL, AV_LOG_ERROR, "read other chunk type data failed!\n");
More information about the FFmpeg-soc
mailing list