Skip to content

F
ffmpeg-mt
Commit 53a9b2b0 authored by jbr's avatar jbr
Browse files
Options

Do not read data past the end of the SSND chunk in the AIFF demuxer. 


git-svn-id: file:///var/local/repositories/ffmpeg/trunk@20219 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
parent 50cf41e9
Show whitespace changes
Inline Side-by-side
Showing with 16 additions and 2 deletions
libavformat/aiff.c
View file @ 53a9b2b0
...@@ -46,6 +46,10 @@ static const AVCodecTag codec_aiff_tags[] = { ...@@ -46,6 +46,10 @@ static const AVCodecTag codec_aiff_tags[] = {
#define AIFF 0 #define AIFF 0
#define AIFF_C_VERSION1 0xA2805140 #define AIFF_C_VERSION1 0xA2805140
typedef struct {
int64_t data_end;
} AIFFInputContext;
static enum CodecID aiff_codec_get_id(int bps) static enum CodecID aiff_codec_get_id(int bps)
{ {
if (bps <= 8) if (bps <= 8)
...@@ -314,6 +318,7 @@ static int aiff_read_header(AVFormatContext *s, ...@@ -314,6 +318,7 @@ static int aiff_read_header(AVFormatContext *s,
unsigned version = AIFF_C_VERSION1; unsigned version = AIFF_C_VERSION1;
ByteIOContext *pb = s->pb; ByteIOContext *pb = s->pb;
AVStream * st; AVStream * st;
AIFFInputContext *aiff = s->priv_data;
/* check FORM header */ /* check FORM header */
filesize = get_tag(pb, &tag); filesize = get_tag(pb, &tag);
...@@ -366,6 +371,7 @@ static int aiff_read_header(AVFormatContext *s, ...@@ -366,6 +371,7 @@ static int aiff_read_header(AVFormatContext *s,
get_meta(s, "comment" , size); get_meta(s, "comment" , size);
break; break;
case MKTAG('S', 'S', 'N', 'D'): /* Sampled sound chunk */ case MKTAG('S', 'S', 'N', 'D'): /* Sampled sound chunk */
aiff->data_end = url_ftell(pb) + size;
offset = get_be32(pb); /* Offset of sound data */ offset = get_be32(pb); /* Offset of sound data */
get_be32(pb); /* BlockSize... don't care */ get_be32(pb); /* BlockSize... don't care */
offset += url_ftell(pb); /* Compute absolute data offset */ offset += url_ftell(pb); /* Compute absolute data offset */
...@@ -420,10 +426,18 @@ static int aiff_read_packet(AVFormatContext *s, ...@@ -420,10 +426,18 @@ static int aiff_read_packet(AVFormatContext *s,
AVPacket *pkt) AVPacket *pkt)
{ {
AVStream *st = s->streams[0]; AVStream *st = s->streams[0];
AIFFInputContext *aiff = s->priv_data;
int64_t max_size;
int res; int res;
/* calculate size of remaining data */
max_size = aiff->data_end - url_ftell(s->pb);
if (max_size <= 0)
return AVERROR_EOF;
/* Now for that packet */ /* Now for that packet */
res = av_get_packet(s->pb, pkt, (MAX_SIZE / st->codec->block_align) * st->codec->block_align); max_size = FFMIN(max_size, (MAX_SIZE / st->codec->block_align) * st->codec->block_align);
res = av_get_packet(s->pb, pkt, max_size);
if (res < 0) if (res < 0)
return res; return res;
...@@ -436,7 +450,7 @@ static int aiff_read_packet(AVFormatContext *s, ...@@ -436,7 +450,7 @@ static int aiff_read_packet(AVFormatContext *s,
AVInputFormat aiff_demuxer = { AVInputFormat aiff_demuxer = {
"aiff", "aiff",
NULL_IF_CONFIG_SMALL("Audio IFF"), NULL_IF_CONFIG_SMALL("Audio IFF"),
0, sizeof(AIFFInputContext),
aiff_probe, aiff_probe,
aiff_read_header, aiff_read_header,
aiff_read_packet, aiff_read_packet,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment