Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
V
vlc-1.1
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Redmine
Redmine
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Metrics
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
videolan
vlc-1.1
Commits
8833f144
Commit
8833f144
authored
Nov 18, 2008
by
Laurent Aimar
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fixed possible out of bound access + infinite loop in dirac header.
parent
95777ade
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
18 additions
and
13 deletions
+18
-13
modules/demux/ogg.c
modules/demux/ogg.c
+18
-13
No files found.
modules/demux/ogg.c
View file @
8833f144
...
...
@@ -873,7 +873,6 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
* We found the beginning of our first logical stream. */
while
(
ogg_page_bos
(
&
oggpage
)
)
{
logical_stream_t
**
pp_sav
=
p_ogg
->
pp_stream
;
logical_stream_t
*
p_stream
;
p_stream
=
malloc
(
sizeof
(
logical_stream_t
)
);
...
...
@@ -1753,8 +1752,8 @@ static void Ogg_ReadAnnodexHeader( vlc_object_t *p_this,
static
uint32_t
dirac_uint
(
bs_t
*
p_bs
)
{
uint32_t
u_count
=
0
,
u_value
=
0
;
/* FIXME possible infinite loop */
while
(
!
bs_read
(
p_bs
,
1
)
)
while
(
!
bs_
eof
(
p_bs
)
&&
!
bs_
read
(
p_bs
,
1
)
)
{
u_count
++
;
u_value
<<=
1
;
...
...
@@ -1810,26 +1809,32 @@ static void Ogg_ReadDiracHeader( logical_stream_t *p_stream,
static
const
struct
{
uint32_t
u_n
/* numerator */
,
u_d
/* denominator */
;
}
dirac_frate_tbl
[]
=
{
/* table 10.3 */
}
p_
dirac_frate_tbl
[]
=
{
/* table 10.3 */
{
1
,
1
},
/* this first value is never used */
{
24000
,
1001
},
{
24
,
1
},
{
25
,
1
},
{
30000
,
1001
},
{
30
,
1
},
{
50
,
1
},
{
60000
,
1001
},
{
60
,
1
},
{
15000
,
1001
},
{
25
,
2
},
};
static
const
size_t
u_dirac_frate_tbl
=
sizeof
(
p_dirac_frate_tbl
)
/
sizeof
(
*
p_dirac_frate_tbl
);
static
const
uint32_t
dirac_vidfmt_frate
[]
=
{
/* table C.1 */
static
const
uint32_t
pu_
dirac_vidfmt_frate
[]
=
{
/* table C.1 */
1
,
9
,
10
,
9
,
10
,
9
,
10
,
4
,
3
,
7
,
6
,
4
,
3
,
7
,
6
,
2
,
2
,
7
,
6
,
7
,
6
,
};
static
const
size_t
u_dirac_vidfmt_frate
=
sizeof
(
pu_dirac_vidfmt_frate
)
/
sizeof
(
*
pu_dirac_vidfmt_frate
);
/* */
if
(
u_video_format
>=
u_dirac_vidfmt_frate
)
u_video_format
=
0
;
/* FIXME possible out of bound access */
uint32_t
u_n
=
dirac_frate_tbl
[
dirac_vidfmt_frate
[
u_video_format
]].
u_n
;
uint32_t
u_d
=
dirac_frate_tbl
[
dirac_vidfmt_frate
[
u_video_format
]].
u_d
;
uint32_t
u_n
=
p_dirac_frate_tbl
[
pu_dirac_vidfmt_frate
[
u_video_format
]].
u_n
;
uint32_t
u_d
=
p_dirac_frate_tbl
[
pu_dirac_vidfmt_frate
[
u_video_format
]].
u_d
;
if
(
dirac_bool
(
&
bs
)
)
{
/* FIXME possible out of bound access */
uint32_t
frame_rate_index
=
dirac_uint
(
&
bs
);
u_n
=
dirac_frate_tbl
[
frame_rate_index
].
u_n
;
u_d
=
dirac_frate_tbl
[
frame_rate_index
].
u_d
;
if
(
frame_rate_index
==
0
)
uint32_t
u_frame_rate_index
=
dirac_uint
(
&
bs
);
if
(
u_frame_rate_index
>
u_dirac_frate_tbl
)
u_frame_rate_index
=
0
;
u_n
=
p_dirac_frate_tbl
[
u_frame_rate_index
].
u_n
;
u_d
=
p_dirac_frate_tbl
[
u_frame_rate_index
].
u_d
;
if
(
u_frame_rate_index
==
0
)
{
u_n
=
dirac_uint
(
&
bs
);
/* frame_rate_numerator */
u_d
=
dirac_uint
(
&
bs
);
/* frame_rate_denominator */
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment