Andreas Rheinhardt: > A Seek element in a Matroska SeekHead should contain a SeekID and a > SeekPosition element and upon reading, they should be sanitized: > > Given that IDs are restricted to 32 bit, longer SeekIDs should be treated > as invalid. Instead currently the lower 32 bits have been used. > > For SeekPosition, no checks were performed for the element to be > present and if present, whether it was excessively large (i.e. the > absolute file position described by it exceeding INT64_MAX). The > SeekPosition element had a default value of -1 which means that a check > seems to have been intended; but it was not implemented. This commit adds > a check for overflow to the calculation of the absolute file position of > the referenced level 1 elements. > Using -1 (i.e. UINT64_MAX) as default value for SeekPosition implies that > a Seek element without SeekPosition will run afoul of this check. > > Signed-off-by: Andreas Rheinhardt <andreas.rheinha...@gmail.com> > --- > libavformat/matroskadec.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c > index 8e1326abf6..dea8f14f9e 100644 > --- a/libavformat/matroskadec.c > +++ b/libavformat/matroskadec.c > @@ -1865,8 +1865,12 @@ static void > matroska_execute_seekhead(MatroskaDemuxContext *matroska) > MatroskaSeekhead *seekheads = seekhead_list->elem; > uint32_t id = seekheads[i].id; > int64_t pos = seekheads[i].pos + matroska->segment_start; > + MatroskaLevel1Element *elem; > > - MatroskaLevel1Element *elem = matroska_find_level1_elem(matroska, > id); > + if (id != seekheads[i].id || pos < matroska->segment_start) > + continue; > + > + elem = matroska_find_level1_elem(matroska, id); > if (!elem || elem->parsed) > continue; > Will apply this patchset tomorrow if there are no objections.
- Andreas _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".