Commit 379212db authored by David Flynn's avatar David Flynn Committed by Derk-Jan Hartman

Fix handling of dirac EOSdataunit.

 - Fixes infinite loop when next_parse_offset = 0
 - Fixes memory access to invalid data with malformed ogg input.
Signed-off-by: default avatarDavid Flynn <davidf@woaf.net>
Signed-off-by: default avatarDerk-Jan Hartman <hartman@videolan.org>
parent 5cbbb0ac
......@@ -435,6 +435,10 @@ static picture_t *DecodeBlock( decoder_t *p_dec, block_t **pp_block )
size_t i_pulen = GetDWBE( p_block->p_buffer + i_bufused + 5 );
uint8_t *p_pu = p_block->p_buffer + i_bufused;
if( 0 == i_pulen ) {
i_pulen = 13;
}
/* blocks that do not start with the parse info prefix are invalid */
if( p_pu[0] != 'B' || p_pu[1] != 'B' ||
p_pu[2] != 'C' || p_pu[3] != 'D')
......
......@@ -1556,18 +1556,19 @@ static void Ogg_ReadAnnodexHeader( vlc_object_t *p_this,
static uint32_t Ogg_ReadDiracPictureNumber( ogg_packet *p_oggpacket )
{
uint32_t u_pos = 4;
/* protect against falling off the edge */
while ( u_pos + 13 < p_oggpacket->bytes ) {
/* find the picture startcode */
while ( (p_oggpacket->packet[u_pos] & 0x08) == 0) {
if ( p_oggpacket->packet[u_pos] & 0x08 ) {
return GetDWBE( p_oggpacket->packet + u_pos + 9 );
}
/* skip to the next dirac parse unit */
u_pos += GetDWBE( p_oggpacket->packet + u_pos + 1 );
/* protect against falling off the edge */
if ( u_pos > p_oggpacket->bytes )
return -1;
uint32_t u_npo = GetDWBE( p_oggpacket->packet + u_pos + 1 );
if (u_npo == 0)
u_npo = 13;
u_pos += u_npo;
}
uint32_t u_pnum = GetDWBE( p_oggpacket->packet + u_pos + 9 );
return u_pnum;
return -1;
}
static uint32_t dirac_uint( bs_t *p_bs )
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment