diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-06-13 13:56:31 +0400 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-06-13 13:56:31 +0400 |
| commit | 4027e136635759999ffb5fa16d1053f26c1dec5e (patch) | |
| tree | 697896a1a82cd5ac499a505e8579e7fcb8e672bd /libavformat/4xm.c | |
| parent | 60657ee37afb5388b75430db95cbce5146731c63 (diff) | |
| parent | 42d73f7f6bea0ee0f64a3ad4882860ce5b923a11 (diff) | |
Merge commit '42d73f7f6bea0ee0f64a3ad4882860ce5b923a11'
* commit '42d73f7f6bea0ee0f64a3ad4882860ce5b923a11':
4xm: do not overread while parsing header
Conflicts:
libavformat/4xm.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavformat/4xm.c')
| -rw-r--r-- | libavformat/4xm.c | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/libavformat/4xm.c b/libavformat/4xm.c index a11ce0e2fe..3714297dae 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -90,11 +90,12 @@ static int fourxm_probe(AVProbeData *p) } static int parse_vtrk(AVFormatContext *s, - FourxmDemuxContext *fourxm, uint8_t *buf, int size) + FourxmDemuxContext *fourxm, uint8_t *buf, int size, + int left) { AVStream *st; /* check that there is enough data */ - if (size != vtrk_SIZE) { + if (size != vtrk_SIZE || left < size + 8) { return AVERROR_INVALIDDATA; } @@ -120,12 +121,13 @@ static int parse_vtrk(AVFormatContext *s, static int parse_strk(AVFormatContext *s, - FourxmDemuxContext *fourxm, uint8_t *buf, int size) + FourxmDemuxContext *fourxm, uint8_t *buf, int size, + int left) { AVStream *st; int track; /* check that there is enough data */ - if (size != strk_SIZE) + if (size != strk_SIZE || left < size + 8) return AVERROR_INVALIDDATA; track = AV_RL32(buf + 8); @@ -230,18 +232,21 @@ static int fourxm_read_header(AVFormatContext *s) } if (fourcc_tag == std__TAG) { - if (header_size < i + 16) { + if (header_size - i < 16) { av_log(s, AV_LOG_ERROR, "std TAG truncated\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } fourxm->fps = av_int2float(AV_RL32(&header[i + 12])); } else if (fourcc_tag == vtrk_TAG) { - if ((ret = parse_vtrk(s, fourxm, header + i, size)) < 0) + if ((ret = parse_vtrk(s, fourxm, header + i, size, + header_size - i)) < 0) goto fail; i += 8 + size; } else if (fourcc_tag == strk_TAG) { - if ((ret = parse_strk(s, fourxm, header + i, size)) < 0) + if ((ret = parse_strk(s, fourxm, header + i, size, + header_size - i)) < 0) goto fail; i += 8 + size; |