Skip to content

V
vlc-2-2
Commit 8fe00082 authored by Laurent Aimar's avatar Laurent Aimar
Browse files
Options

* ogg: fix potential invalid read with broken files (close #272)

parent c23a649a
Show whitespace changes
Inline Side-by-side
Showing with 38 additions and 22 deletions
modules/demux/ogg.c
View file @ 8fe00082
...@@ -526,7 +526,11 @@ static void Ogg_DecodePacket( demux_t *p_demux, ...@@ -526,7 +526,11 @@ static void Ogg_DecodePacket( demux_t *p_demux,
else if( p_stream->fmt.audio.i_rate ) else if( p_stream->fmt.audio.i_rate )
{ {
p_stream->b_force_backup = 0; p_stream->b_force_backup = 0;
p_oggpacket->packet += 9; p_oggpacket->bytes -= 9; if( p_oggpacket->bytes >= 9 )
{
p_oggpacket->packet += 9;
p_oggpacket->bytes -= 9;
}
} }
b_store_size = VLC_FALSE; b_store_size = VLC_FALSE;
break; break;
...@@ -626,6 +630,9 @@ static void Ogg_DecodePacket( demux_t *p_demux, ...@@ -626,6 +630,9 @@ static void Ogg_DecodePacket( demux_t *p_demux,
return; return;
} }
if( p_oggpacket->bytes <= 0 )
return;
if( !( p_block = block_New( p_demux, p_oggpacket->bytes ) ) ) return; if( !( p_block = block_New( p_demux, p_oggpacket->bytes ) ) ) return;
/* Normalize PTS */ /* Normalize PTS */
...@@ -683,7 +690,10 @@ static void Ogg_DecodePacket( demux_t *p_demux, ...@@ -683,7 +690,10 @@ static void Ogg_DecodePacket( demux_t *p_demux,
} }
i_header_len++; i_header_len++;
if( p_block->i_buffer >= i_header_len )
p_block->i_buffer -= i_header_len; p_block->i_buffer -= i_header_len;
else
p_block->i_buffer = 0;
} }
if( p_stream->fmt.i_codec == VLC_FOURCC( 't','a','r','k' ) ) if( p_stream->fmt.i_codec == VLC_FOURCC( 't','a','r','k' ) )
...@@ -1313,7 +1323,8 @@ static void Ogg_ReadAnnodexHeader( vlc_object_t *p_this, ...@@ -1313,7 +1323,8 @@ static void Ogg_ReadAnnodexHeader( vlc_object_t *p_this,
logical_stream_t *p_stream, logical_stream_t *p_stream,
ogg_packet *p_oggpacket ) ogg_packet *p_oggpacket )
{ {
if( ! memcmp( &p_oggpacket->packet[0], "Annodex", 7 ) ) if( p_oggpacket->bytes >= 28 &&
!memcmp( &p_oggpacket->packet[0], "Annodex", 7 ) )
{ {
oggpack_buffer opb; oggpack_buffer opb;
...@@ -1331,7 +1342,8 @@ static void Ogg_ReadAnnodexHeader( vlc_object_t *p_this, ...@@ -1331,7 +1342,8 @@ static void Ogg_ReadAnnodexHeader( vlc_object_t *p_this,
timebase_numerator = GetQWLE( &p_oggpacket->packet[16] ); timebase_numerator = GetQWLE( &p_oggpacket->packet[16] );
timebase_denominator = GetQWLE( &p_oggpacket->packet[24] ); timebase_denominator = GetQWLE( &p_oggpacket->packet[24] );
} }
else if( ! memcmp( &p_oggpacket->packet[0], "AnxData", 7 ) ) else if( p_oggpacket->bytes >= 42 &&
!memcmp( &p_oggpacket->packet[0], "AnxData", 7 ) )
{ {
uint64_t granule_rate_numerator; uint64_t granule_rate_numerator;
uint64_t granule_rate_denominator; uint64_t granule_rate_denominator;
...@@ -1346,8 +1358,12 @@ static void Ogg_ReadAnnodexHeader( vlc_object_t *p_this, ...@@ -1346,8 +1358,12 @@ static void Ogg_ReadAnnodexHeader( vlc_object_t *p_this,
/* we are guaranteed that the first header field will be /* we are guaranteed that the first header field will be
* the content-type (by the Annodex standard) */ * the content-type (by the Annodex standard) */
content_type_string[0] = '\0';
if( !strncasecmp( &p_oggpacket->packet[28], "Content-Type: ", 14 ) ) if( !strncasecmp( &p_oggpacket->packet[28], "Content-Type: ", 14 ) )
{ {
uint8_t *p = memchr( &p_oggpacket->packet[42], '\r',
p_oggpacket->bytes - 1 );
if( p && p[0] == '\r' && p[1] == '\n' )
sscanf( &p_oggpacket->packet[42], "%1024s\r\n", sscanf( &p_oggpacket->packet[42], "%1024s\r\n",
content_type_string ); content_type_string );
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment