Commit 330ba229 authored by Rafaël Carré's avatar Rafaël Carré

asf demux: fix #8024

Replace macro with static inline and use bounds checking
(cherry picked from commit b31ce523331aa3a6e620b68cdfe3f161d519631e)
Signed-off-by: default avatarRafaël Carré <funman@videolan.org>
parent b5b2dd3c
...@@ -383,15 +383,30 @@ static mtime_t GetMoviePTS( demux_sys_t *p_sys ) ...@@ -383,15 +383,30 @@ static mtime_t GetMoviePTS( demux_sys_t *p_sys )
return i_time; return i_time;
} }
#define GETVALUE2b( bits, var, def ) \ static inline int GetValue2b(int *var, const uint8_t *p, int *skip, int left, int bits)
switch( (bits)&0x03 ) \ {
{ \ switch(bits&0x03)
case 1: var = p_peek[i_skip]; i_skip++; break; \ {
case 2: var = GetWLE( p_peek + i_skip ); i_skip+= 2; break; \ case 1:
case 3: var = GetDWLE( p_peek + i_skip ); i_skip+= 4; break; \ if (left < 1)
case 0: \ return -1;
default: var = def; break;\ *var = p[*skip]; *skip += 1;
return 0;
case 2:
if (left < 2)
return -1;
*var = GetWLE(&p[*skip]); *skip += 2;
return 0;
case 3:
if (left < 4)
return -1;
*var = GetDWLE(&p[*skip]); *skip += 4;
return 0;
case 0:
default:
return 0;
} }
}
static int DemuxPacket( demux_t *p_demux ) static int DemuxPacket( demux_t *p_demux )
{ {
...@@ -405,15 +420,15 @@ static int DemuxPacket( demux_t *p_demux ) ...@@ -405,15 +420,15 @@ static int DemuxPacket( demux_t *p_demux )
int i_packet_property; int i_packet_property;
int b_packet_multiple_payload; int b_packet_multiple_payload;
int i_packet_length; int i_packet_length = i_data_packet_min;
int i_packet_sequence; int i_packet_sequence = 0;
int i_packet_padding_length; int i_packet_padding_length = 0;
uint32_t i_packet_send_time; uint32_t i_packet_send_time;
uint16_t i_packet_duration;
int i_payload; int i_payload;
int i_payload_count; int i_payload_count;
int i_payload_length_type; int i_payload_length_type;
int peek_size;
if( stream_Peek( p_demux->s, &p_peek,i_data_packet_min)<i_data_packet_min ) if( stream_Peek( p_demux->s, &p_peek,i_data_packet_min)<i_data_packet_min )
...@@ -421,6 +436,7 @@ static int DemuxPacket( demux_t *p_demux ) ...@@ -421,6 +436,7 @@ static int DemuxPacket( demux_t *p_demux )
msg_Warn( p_demux, "cannot peek while getting new packet, EOF ?" ); msg_Warn( p_demux, "cannot peek while getting new packet, EOF ?" );
return 0; return 0;
} }
peek_size = i_data_packet_min;
i_skip = 0; i_skip = 0;
/* *** parse error correction if present *** */ /* *** parse error correction if present *** */
...@@ -461,9 +477,12 @@ static int DemuxPacket( demux_t *p_demux ) ...@@ -461,9 +477,12 @@ static int DemuxPacket( demux_t *p_demux )
b_packet_multiple_payload = i_packet_flags&0x01; b_packet_multiple_payload = i_packet_flags&0x01;
/* read some value */ /* read some value */
GETVALUE2b( i_packet_flags >> 5, i_packet_length, i_data_packet_min ); if (GetValue2b(&i_packet_length, p_peek, &i_skip, peek_size - i_skip, i_packet_flags >> 5) < 0)
GETVALUE2b( i_packet_flags >> 1, i_packet_sequence, 0 ); goto loop_error_recovery;
GETVALUE2b( i_packet_flags >> 3, i_packet_padding_length, 0 ); if (GetValue2b(&i_packet_sequence, p_peek, &i_skip, peek_size - i_skip, i_packet_flags >> 1) < 0)
goto loop_error_recovery;
if (GetValue2b(&i_packet_padding_length, p_peek, &i_skip, peek_size - i_skip, i_packet_flags >> 3) < 0)
goto loop_error_recovery;
if( i_packet_padding_length > i_packet_length ) if( i_packet_padding_length > i_packet_length )
{ {
...@@ -479,7 +498,7 @@ static int DemuxPacket( demux_t *p_demux ) ...@@ -479,7 +498,7 @@ static int DemuxPacket( demux_t *p_demux )
} }
i_packet_send_time = GetDWLE( p_peek + i_skip ); i_skip += 4; i_packet_send_time = GetDWLE( p_peek + i_skip ); i_skip += 4;
i_packet_duration = GetWLE( p_peek + i_skip ); i_skip += 2; /* uint16_t i_packet_duration = GetWLE( p_peek + i_skip ); */ i_skip += 2;
i_packet_size_left = i_packet_length; i_packet_size_left = i_packet_length;
...@@ -501,13 +520,13 @@ static int DemuxPacket( demux_t *p_demux ) ...@@ -501,13 +520,13 @@ static int DemuxPacket( demux_t *p_demux )
int i_packet_keyframe; int i_packet_keyframe;
unsigned int i_stream_number; unsigned int i_stream_number;
int i_media_object_number; int i_media_object_number = 0;
int i_media_object_offset; int i_media_object_offset;
int i_replicated_data_length; int i_replicated_data_length = 0;
int i_payload_data_length; int i_payload_data_length = 0;
int i_payload_data_pos; int i_payload_data_pos;
int i_sub_payload_data_length; int i_sub_payload_data_length;
int i_tmp; int i_tmp = 0;
mtime_t i_pts; mtime_t i_pts;
mtime_t i_pts_delta; mtime_t i_pts_delta;
...@@ -521,9 +540,12 @@ static int DemuxPacket( demux_t *p_demux ) ...@@ -521,9 +540,12 @@ static int DemuxPacket( demux_t *p_demux )
i_packet_keyframe = p_peek[i_skip] >> 7; i_packet_keyframe = p_peek[i_skip] >> 7;
i_stream_number = p_peek[i_skip++] & 0x7f; i_stream_number = p_peek[i_skip++] & 0x7f;
GETVALUE2b( i_packet_property >> 4, i_media_object_number, 0 ); if (GetValue2b(&i_media_object_number, p_peek, &i_skip, peek_size - i_skip, i_packet_property >> 4) < 0)
GETVALUE2b( i_packet_property >> 2, i_tmp, 0 ); break;
GETVALUE2b( i_packet_property, i_replicated_data_length, 0 ); if (GetValue2b(&i_tmp, p_peek, &i_skip, peek_size - i_skip, i_packet_property >> 2) < 0)
break;
if (GetValue2b(&i_replicated_data_length, p_peek, &i_skip, peek_size - i_skip, i_packet_property) < 0)
break;
if( i_replicated_data_length > 1 ) // should be at least 8 bytes if( i_replicated_data_length > 1 ) // should be at least 8 bytes
{ {
...@@ -558,7 +580,9 @@ static int DemuxPacket( demux_t *p_demux ) ...@@ -558,7 +580,9 @@ static int DemuxPacket( demux_t *p_demux )
i_pts = __MAX( i_pts - p_sys->p_fp->i_preroll * 1000, 0 ); i_pts = __MAX( i_pts - p_sys->p_fp->i_preroll * 1000, 0 );
if( b_packet_multiple_payload ) if( b_packet_multiple_payload )
{ {
GETVALUE2b( i_payload_length_type, i_payload_data_length, 0 ); i_payload_data_length = 0;
if (GetValue2b(&i_payload_data_length, p_peek, &i_skip, peek_size - i_skip, i_payload_length_type) < 0)
break;
} }
else else
{ {
...@@ -645,6 +669,7 @@ static int DemuxPacket( demux_t *p_demux ) ...@@ -645,6 +669,7 @@ static int DemuxPacket( demux_t *p_demux )
return 0; return 0;
} }
i_packet_size_left -= i_read; i_packet_size_left -= i_read;
peek_size = 0;
p_frag->p_buffer += i_skip; p_frag->p_buffer += i_skip;
p_frag->i_buffer -= i_skip; p_frag->i_buffer -= i_skip;
...@@ -672,6 +697,7 @@ static int DemuxPacket( demux_t *p_demux ) ...@@ -672,6 +697,7 @@ static int DemuxPacket( demux_t *p_demux )
msg_Warn( p_demux, "cannot peek, EOF ?" ); msg_Warn( p_demux, "cannot peek, EOF ?" );
return 0; return 0;
} }
peek_size = i_packet_size_left;
} }
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment