libbluray | branch: master | hpi1 <[email protected]> | Sun Feb 23 14:06:54 2014 +0200| [047070c1fa9c411a0d508b5b0edf67eea2198f3a] | committer: hpi1
mpls_parse: added sanity checks > http://git.videolan.org/gitweb.cgi/libbluray.git/?a=commit;h=047070c1fa9c411a0d508b5b0edf67eea2198f3a --- src/libbluray/bdnav/mpls_parse.c | 35 +++++++++++++++++++++++++++++------ src/util/bits.h | 5 +++++ 2 files changed, 34 insertions(+), 6 deletions(-) diff --git a/src/libbluray/bdnav/mpls_parse.c b/src/libbluray/bdnav/mpls_parse.c index 2b591fb..dd8ce9f 100644 --- a/src/libbluray/bdnav/mpls_parse.c +++ b/src/libbluray/bdnav/mpls_parse.c @@ -100,8 +100,7 @@ _parse_uo(BITSTREAM *bits, BD_UO_MASK *uo) static int _parse_appinfo(BITSTREAM *bits, MPLS_AI *ai) { - int len; - off_t pos; + off_t pos, len; if (!bs_is_align(bits, 0x07)) { fprintf(stderr, "_parse_appinfo: alignment error\n"); @@ -109,6 +108,11 @@ _parse_appinfo(BITSTREAM *bits, MPLS_AI *ai) pos = bs_pos(bits) >> 3; len = bs_read(bits, 32); + if (bs_avail(bits) < len * 8) { + fprintf(stderr, "_parse_appinfo: unexpected end of file\n"); + return 0; + } + // Reserved bs_skip(bits, 8); ai->playback_type = bs_read(bits, 8); @@ -131,6 +135,11 @@ _parse_appinfo(BITSTREAM *bits, MPLS_AI *ai) static int _parse_header(BITSTREAM *bits, MPLS_PL *pl) { + if (bs_avail(bits) < 5 * 32 + 160) { + fprintf(stderr, "_parse_header: unexpected end of file\n"); + return 0; + } + pl->type_indicator = bs_read(bits, 32); pl->type_indicator2 = bs_read(bits, 32); if (pl->type_indicator != MPLS_SIG1 || @@ -641,12 +650,19 @@ _clean_subpath(MPLS_SUB *sp) static int _parse_playlistmark(BITSTREAM *bits, MPLS_PL *pl) { + off_t len; int ii; MPLS_PLM *plm = NULL; bs_seek_byte(bits, pl->mark_pos); - // Skip the length field, I don't use it - bs_skip(bits, 32); + // length field + len = bs_read(bits, 32); + + if (bs_avail(bits) < len * 8) { + fprintf(stderr, "_parse_playlistmark: unexpected end of file\n"); + return 0; + } + // Then get the number of marks pl->mark_count = bs_read(bits, 16); @@ -666,13 +682,20 @@ _parse_playlistmark(BITSTREAM *bits, MPLS_PL *pl) static int _parse_playlist(BITSTREAM *bits, MPLS_PL *pl) { + off_t len; int ii; MPLS_PI *pi = NULL; MPLS_SUB *sub_path = NULL; bs_seek_byte(bits, pl->list_pos); - // Skip playlist length - bs_skip(bits, 32); + // playlist length + len = bs_read(bits, 32); + + if (bs_avail(bits) < len * 8) { + fprintf(stderr, "_parse_playlist: unexpected end of file\n"); + return 0; + } + // Skip reserved bytes bs_skip(bits, 16); diff --git a/src/util/bits.h b/src/util/bits.h index 50af804..620fcbd 100644 --- a/src/util/bits.h +++ b/src/util/bits.h @@ -86,6 +86,11 @@ static inline int bs_eof( const BITSTREAM *bs ) return file_eof(bs->fp) && bb_eof(&bs->bb); } +static inline off_t bs_avail( const BITSTREAM *bs ) +{ + return bs_end(bs) - bs_pos(bs); +} + static inline void bb_seek_byte( BITBUFFER *bb, off_t off) { bb_seek(bb, off << 3, SEEK_SET); _______________________________________________ libbluray-devel mailing list [email protected] https://mailman.videolan.org/listinfo/libbluray-devel
