[MPlayer-cvslog] r28149 - trunk/libmpdemux/demux_vqf.c
reimar
subversion at mplayerhq.hu
Sun Dec 14 16:17:19 CET 2008
Author: reimar
Date: Sun Dec 14 16:17:18 2008
New Revision: 28149
Log:
Add extra checks to avoid crashes with broken vqf files
Modified:
trunk/libmpdemux/demux_vqf.c
Modified: trunk/libmpdemux/demux_vqf.c
==============================================================================
--- trunk/libmpdemux/demux_vqf.c (original)
+++ trunk/libmpdemux/demux_vqf.c Sun Dec 14 16:17:18 2008
@@ -51,11 +51,14 @@ static demuxer_t* demux_open_vqf(demuxer
unsigned chunk_size;
hi->size=chunk_size=stream_read_dword(s); /* include itself */
stream_read(s,chunk_id,4);
+ if (chunk_size < 8) return NULL;
+ chunk_size -= 8;
if(AV_RL32(chunk_id)==mmioFOURCC('C','O','M','M'))
{
- char buf[chunk_size-8];
+ char buf[BUFSIZ];
unsigned i,subchunk_size;
- if(stream_read(s,buf,chunk_size-8)!=chunk_size-8) return NULL;
+ if (chunk_size > sizeof(buf) || chunk_size < 20) return NULL;
+ if(stream_read(s,buf,chunk_size)!=chunk_size) return NULL;
i=0;
subchunk_size = AV_RB32(buf);
hi->channelMode = AV_RB32(buf + 4);
@@ -84,13 +87,15 @@ static demuxer_t* demux_open_vqf(demuxer
sh_audio->samplesize = 4;
w->wBitsPerSample = 8*sh_audio->samplesize;
w->cbSize = 0;
+ if (subchunk_size > chunk_size - 4) continue;
i+=subchunk_size+4;
- while(i<chunk_size-8)
+ while(i + 8 < chunk_size)
{
unsigned slen,sid;
- char sdata[chunk_size];
+ char sdata[BUFSIZ];
sid = AV_RL32(buf + i); i+=4;
slen = AV_RB32(buf + i); i+=4;
+ if (slen > sizeof(sdata) - 1 || slen > chunk_size - i) break;
if(sid==mmioFOURCC('D','S','I','Z'))
{
hi->Dsiz=AV_RB32(buf + i);
@@ -142,7 +147,7 @@ static demuxer_t* demux_open_vqf(demuxer
if(AV_RL32(chunk_id)==mmioFOURCC('D','A','T','A'))
{
demuxer->movi_start=stream_tell(s);
- demuxer->movi_end=demuxer->movi_start+chunk_size-8;
+ demuxer->movi_end=demuxer->movi_start+chunk_size;
mp_msg(MSGT_DEMUX, MSGL_V, "Found data at %"PRIX64" size %"PRIu64"\n",demuxer->movi_start,demuxer->movi_end);
/* Done! play it */
break;
@@ -150,7 +155,7 @@ static demuxer_t* demux_open_vqf(demuxer
else
{
mp_msg(MSGT_DEMUX, MSGL_V, "Unhandled chunk '%c%c%c%c' %u bytes\n",chunk_id[0],chunk_id[1],chunk_id[2],chunk_id[3],chunk_size);
- stream_skip(s,chunk_size-8); /*unknown chunk type */
+ stream_skip(s,chunk_size); /*unknown chunk type */
}
}
More information about the MPlayer-cvslog
mailing list