Skip to content

V
vlc-2-2
Commit 9ccb8651 authored by Francois Cartegnie's avatar Francois Cartegnie Committed by Jean-Baptiste Kempf
Browse files
Options

demux: asf: stay within track limits 

(cherry picked from commit a61da5b40d25af4fd0417eb3a9a172a92e62c659)
Signed-off-by: default avatarJean-Baptiste Kempf <jb@videolan.org>
parent ea7af98d
Hide whitespace changes
Inline Side-by-side
Showing with 27 additions and 5 deletions
modules/demux/asf/asf.c
View file @ 9ccb8651
...@@ -72,7 +72,7 @@ static int Demux ( demux_t * ); ...@@ -72,7 +72,7 @@ static int Demux ( demux_t * );
static int Control( demux_t *, int i_query, va_list args ); static int Control( demux_t *, int i_query, va_list args );
static void FlushRemainingPackets( demux_t *p_demux ); static void FlushRemainingPackets( demux_t *p_demux );
#define MAX_ASF_TRACKS 128 #define MAX_ASF_TRACKS (ASF_MAX_STREAMNUMBER + 1)
#define ASF_PREROLL_FROM_CURRENT -1 #define ASF_PREROLL_FROM_CURRENT -1
typedef struct typedef struct
...@@ -745,6 +745,8 @@ static int DemuxPayload(demux_t *p_demux, struct asf_packet_t *pkt, int i_payloa ...@@ -745,6 +745,8 @@ static int DemuxPayload(demux_t *p_demux, struct asf_packet_t *pkt, int i_payloa
bool b_packet_keyframe = pkt->p_peek[pkt->i_skip] >> 7; bool b_packet_keyframe = pkt->p_peek[pkt->i_skip] >> 7;
uint8_t i_stream_number = pkt->p_peek[pkt->i_skip++] & 0x7f; uint8_t i_stream_number = pkt->p_peek[pkt->i_skip++] & 0x7f;
if ( i_stream_number >= MAX_ASF_TRACKS )
goto skip;
uint32_t i_media_object_number = 0; uint32_t i_media_object_number = 0;
if (GetValue2b(&i_media_object_number, pkt->p_peek, &pkt->i_skip, pkt->left - pkt->i_skip, pkt->property >> 4) < 0) if (GetValue2b(&i_media_object_number, pkt->p_peek, &pkt->i_skip, pkt->left - pkt->i_skip, pkt->property >> 4) < 0)
......
modules/demux/asf/libasf.c
View file @ 9ccb8651
...@@ -543,7 +543,9 @@ static int ASF_ReadObject_stream_properties( stream_t *s, asf_object_t *p_obj ) ...@@ -543,7 +543,9 @@ static int ASF_ReadObject_stream_properties( stream_t *s, asf_object_t *p_obj )
p_sp->i_type_specific_data_length = GetDWLE( p_peek + 64 ); p_sp->i_type_specific_data_length = GetDWLE( p_peek + 64 );
p_sp->i_error_correction_data_length = GetDWLE( p_peek + 68 ); p_sp->i_error_correction_data_length = GetDWLE( p_peek + 68 );
p_sp->i_flags = GetWLE( p_peek + 72 ); p_sp->i_flags = GetWLE( p_peek + 72 );
p_sp->i_stream_number = p_sp->i_flags&0x07f; p_sp->i_stream_number = p_sp->i_flags&0x07f;
if ( p_sp->i_stream_number > ASF_MAX_STREAMNUMBER )
return VLC_EGENERIC;
p_sp->i_reserved = GetDWLE( p_peek + 74 ); p_sp->i_reserved = GetDWLE( p_peek + 74 );
i_peek -= 78; i_peek -= 78;
...@@ -828,13 +830,15 @@ static int ASF_ReadObject_stream_bitrate_properties( stream_t *s, ...@@ -828,13 +830,15 @@ static int ASF_ReadObject_stream_bitrate_properties( stream_t *s,
p_data = &p_peek[24]; p_data = &p_peek[24];
p_sb->i_bitrate = ASF_READ2(); p_sb->i_bitrate = ASF_READ2();
if( p_sb->i_bitrate > 127 ) if( p_sb->i_bitrate > ASF_MAX_STREAMNUMBER )
p_sb->i_bitrate = 127; /* Buggy ? */ p_sb->i_bitrate = ASF_MAX_STREAMNUMBER; /* Buggy ? */
for( i = 0; i < p_sb->i_bitrate; i++ ) for( i = 0; i < p_sb->i_bitrate; i++ )
{ {
if( !ASF_HAVE(2 + 4) ) if( !ASF_HAVE(2 + 4) )
break; break;
p_sb->bitrate[i].i_stream_number = (uint8_t) ASF_READ2()& 0x7f; p_sb->bitrate[i].i_stream_number = (uint8_t) ASF_READ2()& 0x7f;
if ( p_sb->bitrate[i].i_stream_number > ASF_MAX_STREAMNUMBER )
return VLC_EGENERIC;
p_sb->bitrate[i].i_avg_bitrate = ASF_READ4(); p_sb->bitrate[i].i_avg_bitrate = ASF_READ4();
} }
p_sb->i_bitrate = i; p_sb->i_bitrate = i;
...@@ -879,6 +883,8 @@ static int ASF_ReadObject_extended_stream_properties( stream_t *s, ...@@ -879,6 +883,8 @@ static int ASF_ReadObject_extended_stream_properties( stream_t *s,
p_esp->i_maximum_object_size = GetDWLE( &p_data[40] ); p_esp->i_maximum_object_size = GetDWLE( &p_data[40] );
p_esp->i_flags = GetDWLE( &p_data[44] ); p_esp->i_flags = GetDWLE( &p_data[44] );
p_esp->i_stream_number = GetWLE( &p_data[48] ); p_esp->i_stream_number = GetWLE( &p_data[48] );
if ( p_esp->i_stream_number > ASF_MAX_STREAMNUMBER )
return VLC_EGENERIC;
p_esp->i_language_index = GetWLE( &p_data[50] ); p_esp->i_language_index = GetWLE( &p_data[50] );
p_esp->i_average_time_per_frame= GetQWLE( &p_data[52] ); p_esp->i_average_time_per_frame= GetQWLE( &p_data[52] );
p_esp->i_stream_name_count = GetWLE( &p_data[60] ); p_esp->i_stream_name_count = GetWLE( &p_data[60] );
...@@ -1021,12 +1027,19 @@ static int ASF_ReadObject_advanced_mutual_exclusion( stream_t *s, ...@@ -1021,12 +1027,19 @@ static int ASF_ReadObject_advanced_mutual_exclusion( stream_t *s,
p_ae->i_stream_number_count = ASF_READ2(); p_ae->i_stream_number_count = ASF_READ2();
p_ae->pi_stream_number = calloc( p_ae->i_stream_number_count, sizeof(uint16_t) ); p_ae->pi_stream_number = calloc( p_ae->i_stream_number_count, sizeof(uint16_t) );
if ( !p_ae->pi_stream_number )
return VLC_ENOMEM;
for( i = 0; i < p_ae->i_stream_number_count; i++ ) for( i = 0; i < p_ae->i_stream_number_count; i++ )
{ {
if( !ASF_HAVE(2) ) if( !ASF_HAVE(2) )
break; break;
p_ae->pi_stream_number[i] = ASF_READ2(); p_ae->pi_stream_number[i] = ASF_READ2();
if ( p_ae->pi_stream_number[i] > ASF_MAX_STREAMNUMBER )
{
free( p_ae->pi_stream_number );
return VLC_EGENERIC;
}
} }
p_ae->i_stream_number_count = i; p_ae->i_stream_number_count = i;
...@@ -1133,6 +1146,11 @@ static int ASF_ReadObject_bitrate_mutual_exclusion( stream_t *s, asf_object_t *p ...@@ -1133,6 +1146,11 @@ static int ASF_ReadObject_bitrate_mutual_exclusion( stream_t *s, asf_object_t *p
if( !ASF_HAVE(2) ) if( !ASF_HAVE(2) )
break; break;
p_ex->pi_stream_numbers[i] = ASF_READ2(); p_ex->pi_stream_numbers[i] = ASF_READ2();
if ( p_ex->pi_stream_numbers[i] > ASF_MAX_STREAMNUMBER )
{
free( p_ex->pi_stream_numbers );
return VLC_EGENERIC;
}
} }
#ifdef ASF_DEBUG #ifdef ASF_DEBUG
......
modules/demux/asf/libasf.h
View file @ 9ccb8651
...@@ -21,6 +21,8 @@ ...@@ -21,6 +21,8 @@
*****************************************************************************/ *****************************************************************************/
#define ASF_MAX_STREAMNUMBER 127
/***************************************************************************** /*****************************************************************************
* Structure needed for decoder * Structure needed for decoder
*****************************************************************************/ *****************************************************************************/
...@@ -244,7 +246,7 @@ typedef struct ...@@ -244,7 +246,7 @@ typedef struct
{ {
uint8_t i_stream_number; uint8_t i_stream_number;
uint32_t i_avg_bitrate; uint32_t i_avg_bitrate;
} bitrate[128]; } bitrate[ASF_MAX_STREAMNUMBER + 1];
} asf_object_stream_bitrate_properties_t; } asf_object_stream_bitrate_properties_t;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment