Commit 9ccb8651 authored by Francois Cartegnie's avatar Francois Cartegnie Committed by Jean-Baptiste Kempf

demux: asf: stay within track limits

(cherry picked from commit a61da5b40d25af4fd0417eb3a9a172a92e62c659)
Signed-off-by: default avatarJean-Baptiste Kempf <jb@videolan.org>
parent ea7af98d
......@@ -72,7 +72,7 @@ static int Demux ( demux_t * );
static int Control( demux_t *, int i_query, va_list args );
static void FlushRemainingPackets( demux_t *p_demux );
#define MAX_ASF_TRACKS 128
#define MAX_ASF_TRACKS (ASF_MAX_STREAMNUMBER + 1)
#define ASF_PREROLL_FROM_CURRENT -1
typedef struct
......@@ -745,6 +745,8 @@ static int DemuxPayload(demux_t *p_demux, struct asf_packet_t *pkt, int i_payloa
bool b_packet_keyframe = pkt->p_peek[pkt->i_skip] >> 7;
uint8_t i_stream_number = pkt->p_peek[pkt->i_skip++] & 0x7f;
if ( i_stream_number >= MAX_ASF_TRACKS )
goto skip;
uint32_t i_media_object_number = 0;
if (GetValue2b(&i_media_object_number, pkt->p_peek, &pkt->i_skip, pkt->left - pkt->i_skip, pkt->property >> 4) < 0)
......
......@@ -544,6 +544,8 @@ static int ASF_ReadObject_stream_properties( stream_t *s, asf_object_t *p_obj )
p_sp->i_error_correction_data_length = GetDWLE( p_peek + 68 );
p_sp->i_flags = GetWLE( p_peek + 72 );
p_sp->i_stream_number = p_sp->i_flags&0x07f;
if ( p_sp->i_stream_number > ASF_MAX_STREAMNUMBER )
return VLC_EGENERIC;
p_sp->i_reserved = GetDWLE( p_peek + 74 );
i_peek -= 78;
......@@ -828,13 +830,15 @@ static int ASF_ReadObject_stream_bitrate_properties( stream_t *s,
p_data = &p_peek[24];
p_sb->i_bitrate = ASF_READ2();
if( p_sb->i_bitrate > 127 )
p_sb->i_bitrate = 127; /* Buggy ? */
if( p_sb->i_bitrate > ASF_MAX_STREAMNUMBER )
p_sb->i_bitrate = ASF_MAX_STREAMNUMBER; /* Buggy ? */
for( i = 0; i < p_sb->i_bitrate; i++ )
{
if( !ASF_HAVE(2 + 4) )
break;
p_sb->bitrate[i].i_stream_number = (uint8_t) ASF_READ2()& 0x7f;
if ( p_sb->bitrate[i].i_stream_number > ASF_MAX_STREAMNUMBER )
return VLC_EGENERIC;
p_sb->bitrate[i].i_avg_bitrate = ASF_READ4();
}
p_sb->i_bitrate = i;
......@@ -879,6 +883,8 @@ static int ASF_ReadObject_extended_stream_properties( stream_t *s,
p_esp->i_maximum_object_size = GetDWLE( &p_data[40] );
p_esp->i_flags = GetDWLE( &p_data[44] );
p_esp->i_stream_number = GetWLE( &p_data[48] );
if ( p_esp->i_stream_number > ASF_MAX_STREAMNUMBER )
return VLC_EGENERIC;
p_esp->i_language_index = GetWLE( &p_data[50] );
p_esp->i_average_time_per_frame= GetQWLE( &p_data[52] );
p_esp->i_stream_name_count = GetWLE( &p_data[60] );
......@@ -1021,12 +1027,19 @@ static int ASF_ReadObject_advanced_mutual_exclusion( stream_t *s,
p_ae->i_stream_number_count = ASF_READ2();
p_ae->pi_stream_number = calloc( p_ae->i_stream_number_count, sizeof(uint16_t) );
if ( !p_ae->pi_stream_number )
return VLC_ENOMEM;
for( i = 0; i < p_ae->i_stream_number_count; i++ )
{
if( !ASF_HAVE(2) )
break;
p_ae->pi_stream_number[i] = ASF_READ2();
if ( p_ae->pi_stream_number[i] > ASF_MAX_STREAMNUMBER )
{
free( p_ae->pi_stream_number );
return VLC_EGENERIC;
}
}
p_ae->i_stream_number_count = i;
......@@ -1133,6 +1146,11 @@ static int ASF_ReadObject_bitrate_mutual_exclusion( stream_t *s, asf_object_t *p
if( !ASF_HAVE(2) )
break;
p_ex->pi_stream_numbers[i] = ASF_READ2();
if ( p_ex->pi_stream_numbers[i] > ASF_MAX_STREAMNUMBER )
{
free( p_ex->pi_stream_numbers );
return VLC_EGENERIC;
}
}
#ifdef ASF_DEBUG
......
......@@ -21,6 +21,8 @@
*****************************************************************************/
#define ASF_MAX_STREAMNUMBER 127
/*****************************************************************************
* Structure needed for decoder
*****************************************************************************/
......@@ -244,7 +246,7 @@ typedef struct
{
uint8_t i_stream_number;
uint32_t i_avg_bitrate;
} bitrate[128];
} bitrate[ASF_MAX_STREAMNUMBER + 1];
} asf_object_stream_bitrate_properties_t;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment