matroskadec: validate lace_size when parsed

Stricter validation, explicitly exit on misparsing and some error forwarding from the ebml parsing functions used.
author: Luca Barbato <lu_zero@gentoo.org> 2012-09-14 21:24:23 +0200
committer: Luca Barbato <lu_zero@gentoo.org> 2012-09-19 20:34:14 +0200
commit: 870e75524aa0d00ebcd1d15589c8d29b84af1565 (patch)
tree: 47769960347022efe40ce9870a2434466258fd84 /libavformat/matroskadec.c
parent: c9a39cec70603f662f4c326b21b11c4f0112079a (diff)
1 files changed, 16 insertions, 7 deletions
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 27c962eab1..ff2a6c29dc 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1829,11 +1829,19 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
                         }
                         total += lace_size[n];
                     }
+                    if (size <= total) {
+                        res = AVERROR_INVALIDDATA;
+                        goto end;
+                    }
                     lace_size[n] = size - total;
                     break;
                 }
 
                 case 0x2: /* fixed-size lacing */
+                    if (size != (size / laces) * size) {
+                        res = AVERROR_INVALIDDATA;
+                        goto end;
+                    }
                     for (n = 0; n < laces; n++)
                         lace_size[n] = size / laces;
                     break;
@@ -1844,7 +1852,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
                     if (n < 0) {
                         av_log(matroska->ctx, AV_LOG_INFO,
                                "EBML block data error\n");
-                        break;
+                        res = n;
+                        goto end;
                     }
                     data += n;
                     size -= n;
@@ -1856,13 +1865,18 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
                         if (r < 0) {
                             av_log(matroska->ctx, AV_LOG_INFO,
                                    "EBML block data error\n");
-                            break;
+                            res = r;
+                            goto end;
                         }
                         data += r;
                         size -= r;
                         lace_size[n] = lace_size[n - 1] + snum;
                         total += lace_size[n];
                     }
+                    if (size <= total) {
+                        res = AVERROR_INVALIDDATA;
+                        goto end;
+                    }
                     lace_size[laces - 1] = size - total;
                     break;
                 }
@@ -1940,11 +1954,6 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
                 uint32_t pkt_size = lace_size[n];
                 uint8_t *pkt_data = data;
 
-                if (pkt_size > size) {
-                    av_log(matroska->ctx, AV_LOG_ERROR, "Invalid packet size\n");
-                    break;
-                }
-
                 if (encodings && encodings->scope & 1) {
                     res = matroska_decode_buffer(&pkt_data, &pkt_size, track);
                     if (res < 0)
author	Luca Barbato <lu_zero@gentoo.org>	2012-09-14 21:24:23 +0200
committer	Luca Barbato <lu_zero@gentoo.org>	2012-09-19 20:34:14 +0200
commit	870e75524aa0d00ebcd1d15589c8d29b84af1565 (patch)
tree	47769960347022efe40ce9870a2434466258fd84 /libavformat/matroskadec.c
parent	c9a39cec70603f662f4c326b21b11c4f0112079a (diff)