vlc/vlc-2.2 | branch: master | Francois Cartegnie <fcvlc...@free.fr> | Sun Oct 5 16:22:18 2014 +0200| [9ccb8651baeca05c501193b1b371fbdef9a208ac] | committer: Jean-Baptiste Kempf
demux: asf: stay within track limits (cherry picked from commit a61da5b40d25af4fd0417eb3a9a172a92e62c659) Signed-off-by: Jean-Baptiste Kempf <j...@videolan.org> > http://git.videolan.org/gitweb.cgi/vlc/vlc-2.2.git/?a=commit;h=9ccb8651baeca05c501193b1b371fbdef9a208ac --- modules/demux/asf/asf.c | 4 +++- modules/demux/asf/libasf.c | 24 +++++++++++++++++++++--- modules/demux/asf/libasf.h | 4 +++- 3 files changed, 27 insertions(+), 5 deletions(-) diff --git a/modules/demux/asf/asf.c b/modules/demux/asf/asf.c index 21d59a0..7e14232 100644 --- a/modules/demux/asf/asf.c +++ b/modules/demux/asf/asf.c @@ -72,7 +72,7 @@ static int Demux ( demux_t * ); static int Control( demux_t *, int i_query, va_list args ); static void FlushRemainingPackets( demux_t *p_demux ); -#define MAX_ASF_TRACKS 128 +#define MAX_ASF_TRACKS (ASF_MAX_STREAMNUMBER + 1) #define ASF_PREROLL_FROM_CURRENT -1 typedef struct @@ -745,6 +745,8 @@ static int DemuxPayload(demux_t *p_demux, struct asf_packet_t *pkt, int i_payloa bool b_packet_keyframe = pkt->p_peek[pkt->i_skip] >> 7; uint8_t i_stream_number = pkt->p_peek[pkt->i_skip++] & 0x7f; + if ( i_stream_number >= MAX_ASF_TRACKS ) + goto skip; uint32_t i_media_object_number = 0; if (GetValue2b(&i_media_object_number, pkt->p_peek, &pkt->i_skip, pkt->left - pkt->i_skip, pkt->property >> 4) < 0) diff --git a/modules/demux/asf/libasf.c b/modules/demux/asf/libasf.c index e0ff405..7171549 100644 --- a/modules/demux/asf/libasf.c +++ b/modules/demux/asf/libasf.c @@ -543,7 +543,9 @@ static int ASF_ReadObject_stream_properties( stream_t *s, asf_object_t *p_obj ) p_sp->i_type_specific_data_length = GetDWLE( p_peek + 64 ); p_sp->i_error_correction_data_length = GetDWLE( p_peek + 68 ); p_sp->i_flags = GetWLE( p_peek + 72 ); - p_sp->i_stream_number = p_sp->i_flags&0x07f; + p_sp->i_stream_number = p_sp->i_flags&0x07f; + if ( p_sp->i_stream_number > ASF_MAX_STREAMNUMBER ) + return VLC_EGENERIC; p_sp->i_reserved = GetDWLE( p_peek + 74 ); i_peek -= 78; @@ -828,13 +830,15 @@ static int ASF_ReadObject_stream_bitrate_properties( stream_t *s, p_data = &p_peek[24]; p_sb->i_bitrate = ASF_READ2(); - if( p_sb->i_bitrate > 127 ) - p_sb->i_bitrate = 127; /* Buggy ? */ + if( p_sb->i_bitrate > ASF_MAX_STREAMNUMBER ) + p_sb->i_bitrate = ASF_MAX_STREAMNUMBER; /* Buggy ? */ for( i = 0; i < p_sb->i_bitrate; i++ ) { if( !ASF_HAVE(2 + 4) ) break; p_sb->bitrate[i].i_stream_number = (uint8_t) ASF_READ2()& 0x7f; + if ( p_sb->bitrate[i].i_stream_number > ASF_MAX_STREAMNUMBER ) + return VLC_EGENERIC; p_sb->bitrate[i].i_avg_bitrate = ASF_READ4(); } p_sb->i_bitrate = i; @@ -879,6 +883,8 @@ static int ASF_ReadObject_extended_stream_properties( stream_t *s, p_esp->i_maximum_object_size = GetDWLE( &p_data[40] ); p_esp->i_flags = GetDWLE( &p_data[44] ); p_esp->i_stream_number = GetWLE( &p_data[48] ); + if ( p_esp->i_stream_number > ASF_MAX_STREAMNUMBER ) + return VLC_EGENERIC; p_esp->i_language_index = GetWLE( &p_data[50] ); p_esp->i_average_time_per_frame= GetQWLE( &p_data[52] ); p_esp->i_stream_name_count = GetWLE( &p_data[60] ); @@ -1021,12 +1027,19 @@ static int ASF_ReadObject_advanced_mutual_exclusion( stream_t *s, p_ae->i_stream_number_count = ASF_READ2(); p_ae->pi_stream_number = calloc( p_ae->i_stream_number_count, sizeof(uint16_t) ); + if ( !p_ae->pi_stream_number ) + return VLC_ENOMEM; for( i = 0; i < p_ae->i_stream_number_count; i++ ) { if( !ASF_HAVE(2) ) break; p_ae->pi_stream_number[i] = ASF_READ2(); + if ( p_ae->pi_stream_number[i] > ASF_MAX_STREAMNUMBER ) + { + free( p_ae->pi_stream_number ); + return VLC_EGENERIC; + } } p_ae->i_stream_number_count = i; @@ -1133,6 +1146,11 @@ static int ASF_ReadObject_bitrate_mutual_exclusion( stream_t *s, asf_object_t *p if( !ASF_HAVE(2) ) break; p_ex->pi_stream_numbers[i] = ASF_READ2(); + if ( p_ex->pi_stream_numbers[i] > ASF_MAX_STREAMNUMBER ) + { + free( p_ex->pi_stream_numbers ); + return VLC_EGENERIC; + } } #ifdef ASF_DEBUG diff --git a/modules/demux/asf/libasf.h b/modules/demux/asf/libasf.h index ee2c20d..e8b792d 100644 --- a/modules/demux/asf/libasf.h +++ b/modules/demux/asf/libasf.h @@ -21,6 +21,8 @@ *****************************************************************************/ +#define ASF_MAX_STREAMNUMBER 127 + /***************************************************************************** * Structure needed for decoder *****************************************************************************/ @@ -244,7 +246,7 @@ typedef struct { uint8_t i_stream_number; uint32_t i_avg_bitrate; - } bitrate[128]; + } bitrate[ASF_MAX_STREAMNUMBER + 1]; } asf_object_stream_bitrate_properties_t; _______________________________________________ vlc-commits mailing list vlc-commits@videolan.org https://mailman.videolan.org/listinfo/vlc-commits