demux: asf: enforce root object boundary (fix #9441)

Seems some encoder reuses previous memory area for junk sections.

demux: asf: enforce root object boundary (fix #9441)
Seems some encoder reuses previous memory area for junk sections.
2ca8c9db · Francois Cartegnie · 5e8fb7c2 · 2ca8c9db
Commit 2ca8c9db authored Nov 25, 2013 by Francois Cartegnie
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 5 deletions

modules/demux/asf/libasf.c modules/demux/asf/libasf.c +23 -5

No files found.
--- a/modules/demux/asf/libasf.c
+++ b/modules/demux/asf/libasf.c
@@ -141,9 +141,16 @@ static int ASF_ReadObjectCommon( stream_t *s, asf_object_t *p_obj )
    return VLC_SUCCESS;
 }
-static int ASF_NextObject( stream_t *s, asf_object_t *p_obj )
+static int ASF_NextObject( stream_t *s, asf_object_t *p_obj, uint64_t i_boundary )
 {
    asf_object_t obj;
+    int64_t i_pos = stream_Tell( s );
+    if ( i_boundary && i_pos >= 0 && (uint64_t) i_pos >= i_boundary )
+    {
+        return VLC_EGENERIC;
+    }
    if( p_obj == NULL )
    {
        if( ASF_ReadObjectCommon( s, &obj ) )
@@ -213,7 +220,7 @@ static int  ASF_ReadObject_Header( stream_t *s, asf_object_t *p_obj )
            free( p_subobj );
            break;
        }
-        if( ASF_NextObject( s, p_subobj ) ) /* Go to the next object */
+        if( ASF_NextObject( s, p_subobj, 0 ) ) /* Go to the next object */
            break;
    }
    return VLC_SUCCESS;
@@ -505,7 +512,7 @@ static int ASF_ReadObject_header_extension( stream_t *s, asf_object_t *p_obj )
            break;
        }
-        if( ASF_NextObject( s, p_obj ) ) /* Go to the next object */
+        if( ASF_NextObject( s, p_obj, 0 ) ) /* Go to the next object */
        {
            break;
        }
@@ -1603,6 +1610,7 @@ asf_object_root_t *ASF_ReadObjectRoot( stream_t *s, int b_seekable )
 {
    asf_object_root_t *p_root = malloc( sizeof( asf_object_root_t ) );
    asf_object_t *p_obj;
+    uint64_t i_boundary = 0;
    if( !p_root )
        return NULL;
@@ -1632,12 +1640,15 @@ asf_object_root_t *ASF_ReadObjectRoot( stream_t *s, int b_seekable )
        switch( p_obj->common.i_type )
        {
            case( ASF_OBJECT_HEADER ):
+                if ( p_root->p_index || p_root->p_data || p_root->p_hdr ) break;
                p_root->p_hdr = (asf_object_header_t*)p_obj;
                break;
            case( ASF_OBJECT_DATA ):
+                if ( p_root->p_index || p_root->p_data ) break;
                p_root->p_data = (asf_object_data_t*)p_obj;
-                break;
+            break;
            case( ASF_OBJECT_INDEX ):
+                if ( p_root->p_index ) break;
                p_root->p_index = (asf_object_index_t*)p_obj;
                break;
            default:
@@ -1645,6 +1656,13 @@ asf_object_root_t *ASF_ReadObjectRoot( stream_t *s, int b_seekable )
                      GUID_PRINT( p_obj->common.i_object_id ) );
                break;
        }
+        /* Set a limit to avoid junk when possible */
+        if ( !guidcmp( &p_obj->common.i_object_id, &asf_object_file_properties_guid ) )
+        {
+            i_boundary = p_obj->file_properties.i_file_size;
+        }
        if( p_obj->common.i_type == ASF_OBJECT_DATA &&
            p_obj->common.i_object_size <= 50 )
        {
@@ -1657,7 +1675,7 @@ asf_object_root_t *ASF_ReadObjectRoot( stream_t *s, int b_seekable )
            break;
        }
-        if( ASF_NextObject( s, p_obj ) ) /* Go to the next object */
+        if( ASF_NextObject( s, p_obj, i_boundary ) ) /* Go to the next object */
            break;
    }