diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2011-12-16 05:35:04 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2011-12-16 05:35:04 +0100 |
| commit | 482ee63641f4fa50f017538af384aadbceee7a18 (patch) | |
| tree | 127f9ed9d64f791d629993ffd7a7e173a82b9439 | |
| parent | e098fba5d9c9d52aaddd83e63dd910ff20b841d2 (diff) | |
thpdemux: Check that packed sizes are within the files data size and filesize.
Fixes Ticket774
Bug found by: Diana Elena Muscalu
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavformat/thp.c | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/libavformat/thp.c b/libavformat/thp.c index cd50917105..7c3a1cd18d 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -26,6 +26,7 @@ typedef struct ThpDemuxContext { int version; + unsigned data_size; int first_frame; int first_framesz; int last_frame; @@ -41,7 +42,7 @@ typedef struct ThpDemuxContext { unsigned char components[16]; AVStream* vst; int has_audio; - int audiosize; + unsigned audiosize; } ThpDemuxContext; @@ -60,6 +61,7 @@ static int thp_read_header(AVFormatContext *s, ThpDemuxContext *thp = s->priv_data; AVStream *st; AVIOContext *pb = s->pb; + int64_t fsize= avio_size(pb); int i; /* Read the file header. */ @@ -72,7 +74,9 @@ static int thp_read_header(AVFormatContext *s, thp->fps = av_d2q(av_int2float(avio_rb32(pb)), INT_MAX); thp->framecnt = avio_rb32(pb); thp->first_framesz = avio_rb32(pb); - avio_rb32(pb); /* Data size. */ + thp->data_size = avio_rb32(pb); + if(fsize>0 && (!thp->data_size || fsize < thp->data_size)) + thp->data_size= fsize; thp->compoff = avio_rb32(pb); avio_rb32(pb); /* offsetDataOffset. */ @@ -143,7 +147,7 @@ static int thp_read_packet(AVFormatContext *s, { ThpDemuxContext *thp = s->priv_data; AVIOContext *pb = s->pb; - int size; + unsigned int size; int ret; if (thp->audiosize == 0) { @@ -159,6 +163,10 @@ static int thp_read_packet(AVFormatContext *s, avio_rb32(pb); /* Previous total size. */ size = avio_rb32(pb); /* Total size of this frame. */ + if(thp->data_size && avio_tell(pb) + size > thp->data_size) { + av_log(s, AV_LOG_ERROR, "Video packet truncated\n"); + size= thp->data_size - avio_tell(pb); + } /* Store the audiosize so the next time this function is called, the audio can be read. */ @@ -175,6 +183,11 @@ static int thp_read_packet(AVFormatContext *s, pkt->stream_index = thp->video_stream_index; } else { + if(thp->data_size && avio_tell(pb) + thp->audiosize > thp->data_size){ + av_log(s, AV_LOG_ERROR, "Audio packet truncated\n"); + thp->audiosize= thp->data_size - avio_tell(pb); + } + ret = av_get_packet(pb, pkt, thp->audiosize); if (ret != thp->audiosize) { av_free_packet(pkt); |