Browse Source
matroskadec: validate lace_size when parsed
Stricter validation, explicitly exit on misparsing and some error forwarding from the ebml parsing functions used.tags/n1.0
Luca Barbato
12 years ago
1 changed files with 16 additions and 7 deletions
Unified View
Diff Options
-
+16 -7libavformat/matroskadec.c
+ 16
- 7
libavformat/matroskadec.c
View File
| @@ -1829,11 +1829,19 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, | |||||
| } | } | ||||
| total += lace_size[n]; | total += lace_size[n]; | ||||
| } | } | ||||
| if (size <= total) { | |||||
| res = AVERROR_INVALIDDATA; | |||||
| goto end; | |||||
| } | |||||
| lace_size[n] = size - total; | lace_size[n] = size - total; | ||||
| break; | break; | ||||
| } | } | ||||
| case 0x2: /* fixed-size lacing */ | case 0x2: /* fixed-size lacing */ | ||||
| if (size != (size / laces) * size) { | |||||
| res = AVERROR_INVALIDDATA; | |||||
| goto end; | |||||
| } | |||||
| for (n = 0; n < laces; n++) | for (n = 0; n < laces; n++) | ||||
| lace_size[n] = size / laces; | lace_size[n] = size / laces; | ||||
| break; | break; | ||||
| @@ -1844,7 +1852,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, | |||||
| if (n < 0) { | if (n < 0) { | ||||
| av_log(matroska->ctx, AV_LOG_INFO, | av_log(matroska->ctx, AV_LOG_INFO, | ||||
| "EBML block data error\n"); | "EBML block data error\n"); | ||||
| break; | |||||
| res = n; | |||||
| goto end; | |||||
| } | } | ||||
| data += n; | data += n; | ||||
| size -= n; | size -= n; | ||||
| @@ -1856,13 +1865,18 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, | |||||
| if (r < 0) { | if (r < 0) { | ||||
| av_log(matroska->ctx, AV_LOG_INFO, | av_log(matroska->ctx, AV_LOG_INFO, | ||||
| "EBML block data error\n"); | "EBML block data error\n"); | ||||
| break; | |||||
| res = r; | |||||
| goto end; | |||||
| } | } | ||||
| data += r; | data += r; | ||||
| size -= r; | size -= r; | ||||
| lace_size[n] = lace_size[n - 1] + snum; | lace_size[n] = lace_size[n - 1] + snum; | ||||
| total += lace_size[n]; | total += lace_size[n]; | ||||
| } | } | ||||
| if (size <= total) { | |||||
| res = AVERROR_INVALIDDATA; | |||||
| goto end; | |||||
| } | |||||
| lace_size[laces - 1] = size - total; | lace_size[laces - 1] = size - total; | ||||
| break; | break; | ||||
| } | } | ||||
| @@ -1940,11 +1954,6 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, | |||||
| uint32_t pkt_size = lace_size[n]; | uint32_t pkt_size = lace_size[n]; | ||||
| uint8_t *pkt_data = data; | uint8_t *pkt_data = data; | ||||
| if (pkt_size > size) { | |||||
| av_log(matroska->ctx, AV_LOG_ERROR, "Invalid packet size\n"); | |||||
| break; | |||||
| } | |||||
| if (encodings && encodings->scope & 1) { | if (encodings && encodings->scope & 1) { | ||||
| res = matroska_decode_buffer(&pkt_data, &pkt_size, track); | res = matroska_decode_buffer(&pkt_data, &pkt_size, track); | ||||
| if (res < 0) | if (res < 0) | ||||