Skip to content

V
vlc
Commit cc356c39 authored by Francois Cartegnie's avatar Francois Cartegnie
Browse files
Options

demux: libmp4: fix invalid tfra values reading

parent c60a55a6
Hide whitespace changes
Inline Side-by-side
Showing with 34 additions and 54 deletions
modules/demux/mp4/libmp4.c
View file @ cc356c39
......@@ -3294,6 +3294,25 @@ static int MP4_ReadBox_mfro( stream_t *p_stream, MP4_Box_t *p_box )
static int MP4_ReadBox_tfra( stream_t *p_stream, MP4_Box_t *p_box )
{
#define READ_VARIABLE_LENGTH(lengthvar, p_array) switch (lengthvar)\
{\
case 0:\
MP4_GET1BYTE( p_array[i] );\
break;\
case 1:\
MP4_GET2BYTES( *((uint16_t *)&p_array[i*2]) );\
break;\
case 2:\
MP4_GET3BYTES( *((uint32_t *)&p_array[i*4]) );\
break;\
case 3:\
MP4_GET4BYTES( *((uint32_t *)&p_array[i*4]) );\
break;\
default:\
goto error;\
}
#define FIX_VARIABLE_LENGTH(lengthvar) if ( lengthvar == 3 ) lengthvar = 4
uint32_t i_number_of_entries;
MP4_READBOX_ENTER( MP4_Box_data_tfra_t );
MP4_Box_data_tfra_t *p_tfra = p_box->data.p_tfra;
......@@ -3314,10 +3333,13 @@ static int MP4_ReadBox_tfra( stream_t *p_stream, MP4_Box_t *p_box )
p_tfra->p_moof_offset = calloc( i_number_of_entries, size );
size = 1 + p_tfra->i_length_size_of_traf_num; /* size in [|1, 4|] */
if ( size == 3 ) size++;
p_tfra->p_traf_number = calloc( i_number_of_entries, size );
size = 1 + p_tfra->i_length_size_of_trun_num;
if ( size == 3 ) size++;
p_tfra->p_trun_number = calloc( i_number_of_entries, size );
size = 1 + p_tfra->i_length_size_of_sample_num;
if ( size == 3 ) size++;
p_tfra->p_sample_number = calloc( i_number_of_entries, size );
if( !p_tfra->p_time || !p_tfra->p_moof_offset || !p_tfra->p_traf_number
......@@ -3336,8 +3358,8 @@ static int MP4_ReadBox_tfra( stream_t *p_stream, MP4_Box_t *p_box )
{
if ( i_read < i_fields_length + 16 )
break;
MP4_GET8BYTES( p_tfra->p_time[i*2] );
MP4_GET8BYTES( p_tfra->p_moof_offset[i*2] );
MP4_GET8BYTES( *((uint64_t *)&p_tfra->p_time[i*2]) );
MP4_GET8BYTES( *((uint64_t *)&p_tfra->p_moof_offset[i*2]) );
}
else
{
......@@ -3346,63 +3368,18 @@ static int MP4_ReadBox_tfra( stream_t *p_stream, MP4_Box_t *p_box )
MP4_GET4BYTES( p_tfra->p_time[i] );
MP4_GET4BYTES( p_tfra->p_moof_offset[i] );
}
switch (p_tfra->i_length_size_of_traf_num)
{
case 0:
MP4_GET1BYTE( p_tfra->p_traf_number[i] );
break;
case 1:
MP4_GET2BYTES( p_tfra->p_traf_number[i*2] );
break;
case 2:
MP4_GET3BYTES( p_tfra->p_traf_number[i*3] );
break;
case 3:
MP4_GET4BYTES( p_tfra->p_traf_number[i*4] );
break;
default:
goto error;
}
switch (p_tfra->i_length_size_of_trun_num)
{
case 0:
MP4_GET1BYTE( p_tfra->p_trun_number[i] );
break;
case 1:
MP4_GET2BYTES( p_tfra->p_trun_number[i*2] );
break;
case 2:
MP4_GET3BYTES( p_tfra->p_trun_number[i*3] );
break;
case 3:
MP4_GET4BYTES( p_tfra->p_trun_number[i*4] );
break;
default:
goto error;
}
switch (p_tfra->i_length_size_of_sample_num)
{
case 0:
MP4_GET1BYTE( p_tfra->p_sample_number[i] );
break;
case 1:
MP4_GET2BYTES( p_tfra->p_sample_number[i*2] );
break;
case 2:
MP4_GET3BYTES( p_tfra->p_sample_number[i*3] );
break;
case 3:
MP4_GET4BYTES( p_tfra->p_sample_number[i*4] );
break;
default:
goto error;
}
READ_VARIABLE_LENGTH(p_tfra->i_length_size_of_traf_num, p_tfra->p_traf_number);
READ_VARIABLE_LENGTH(p_tfra->i_length_size_of_trun_num, p_tfra->p_trun_number);
READ_VARIABLE_LENGTH(p_tfra->i_length_size_of_sample_num, p_tfra->p_sample_number);
}
if ( i < i_number_of_entries )
i_number_of_entries = i;
FIX_VARIABLE_LENGTH(p_tfra->i_length_size_of_traf_num);
FIX_VARIABLE_LENGTH(p_tfra->i_length_size_of_trun_num);
FIX_VARIABLE_LENGTH(p_tfra->i_length_size_of_sample_num);
#ifdef MP4_ULTRA_VERBOSE
for( i = 0; i < i_number_of_entries; i++ )
{
......@@ -3432,6 +3409,9 @@ static int MP4_ReadBox_tfra( stream_t *p_stream, MP4_Box_t *p_box )
MP4_READBOX_EXIT( 1 );
error:
MP4_READBOX_EXIT( 0 );
#undef READ_VARIABLE_LENGTH
#undef FIX_VARIABLE_LENGTH
}
static void MP4_FreeBox_tfra( MP4_Box_t *p_box )
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment