On Fri, Aug 05, 2016 at 03:54:25PM -0700, kod...@gmail.com wrote: > From: Chris Moeller <kod...@gmail.com> > > --- > libavformat/mp3dec.c | 64 > +++++++++++++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 63 insertions(+), 1 deletion(-) > > diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c > index 56c7f8c..3055e2c 100644 > --- a/libavformat/mp3dec.c > +++ b/libavformat/mp3dec.c > @@ -295,6 +295,53 @@ static void mp3_parse_vbri_tag(AVFormatContext *s, > AVStream *st, int64_t base) > } > } > > +static void mp3_parse_itunes_tag(AVFormatContext *s, AVStream *st, > MPADecodeHeader *c, int64_t base, int vbrtag_size, unsigned int *size, > uint64_t *duration) > +{ > + uint32_t v; > + AVDictionaryEntry *de; > + MP3DecContext *mp3 = s->priv_data; > + size_t length; > + uint32_t zero, start_pad, end_pad; > + uint64_t last_eight_frames_offset; > + int i; > + > + if (!s->metadata || !(de = av_dict_get(s->metadata, "iTunSMPB", NULL, > 0))) > + return; > + > + length = strlen(de->value); > + > + /* Minimum length is one digit per field plus the whitespace, maximum > length should depend on field type > + * There are four fields we need in the first six, the rest are > currently zero padding */ > + if (length < (12 + 11) || length > (10 * 8 + 2 * 16 + 11)) > + return; > +
> + if (sscanf(de->value, "%x %x %x %llx %x %llx", &zero, &start_pad, > &end_pad, duration, &zero, &last_eight_frames_offset) < 6) { > + *duration = 0; > + return; > + } libavformat/mp3dec.c: In function ‘mp3_parse_itunes_tag’: libavformat/mp3dec.c:318:5: warning: format ‘%llx’ expects argument of type ‘long long unsigned int *’, but argument 6 has type ‘uint64_t *’ [-Wformat] libavformat/mp3dec.c:318:5: warning: format ‘%llx’ expects argument of type ‘long long unsigned int *’, but argument 8 has type ‘uint64_t *’ [-Wformat] check for duration < 0 missing > + > + mp3->start_pad = start_pad; > + mp3->end_pad = end_pad; assigning unsigend to signed with no range checks could result in overflow, though even if it doesnt overflow the value should be checked to be within a sane range > + if (end_pad >= 528 + 1) > + mp3->end_pad = end_pad - (528 + 1); > + st->start_skip_samples = mp3->start_pad + 528 + 1; > + av_log(s, AV_LOG_DEBUG, "pad %d %d\n", mp3->start_pad, mp3->end_pad); > + if (!s->pb->seekable) > + return; > + > + *size = (unsigned int) last_eight_frames_offset; value could be truncated, missing range check > + avio_seek(s->pb, base + vbrtag_size + last_eight_frames_offset, > SEEK_SET); missing seek faiure check also please provide a testcase/sample for this (a fate test would be even better) thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB You can kill me, but you cannot change the truth.
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel