Skip to content

F
ffmpeg.wasm-core
Commit 27a2f659 authored by Michael Niedermayer's avatar Michael Niedermayer
Browse files
Options

avformat/vividas: Test size and packet numbers a bit more 

Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent 8e51f35f
Hide whitespace changes
Inline Side-by-side
Showing with 19 additions and 8 deletions
libavformat/vividas.c
View file @ 27a2f659
...@@ -429,6 +429,7 @@ static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *bu ...@@ -429,6 +429,7 @@ static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *bu
int maxnp=0; int maxnp=0;
AVIOContext *pb; AVIOContext *pb;
int i; int i;
int64_t filesize = avio_size(s->pb);
pb = avio_alloc_context(buf, size, 0, NULL, NULL, NULL, NULL); pb = avio_alloc_context(buf, size, 0, NULL, NULL, NULL, NULL);
if (!pb) if (!pb)
...@@ -437,11 +438,8 @@ static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *bu ...@@ -437,11 +438,8 @@ static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *bu
ffio_read_varlen(pb); // track_index_len ffio_read_varlen(pb); // track_index_len
avio_r8(pb); // 'c' avio_r8(pb); // 'c'
viv->n_sb_blocks = ffio_read_varlen(pb); viv->n_sb_blocks = ffio_read_varlen(pb);
if (viv->n_sb_blocks * 2 > size) { if (viv->n_sb_blocks * 2 > size)
viv->n_sb_blocks = 0; goto error;
av_free(pb);
return AVERROR_INVALIDDATA;
}
viv->sb_blocks = av_calloc(viv->n_sb_blocks, sizeof(VIV_SB_block)); viv->sb_blocks = av_calloc(viv->n_sb_blocks, sizeof(VIV_SB_block));
if (!viv->sb_blocks) { if (!viv->sb_blocks) {
viv->n_sb_blocks = 0; viv->n_sb_blocks = 0;
...@@ -453,24 +451,37 @@ static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *bu ...@@ -453,24 +451,37 @@ static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *bu
poff = 0; poff = 0;
for (i = 0; i < viv->n_sb_blocks; i++) { for (i = 0; i < viv->n_sb_blocks; i++) {
uint64_t size_tmp = ffio_read_varlen(pb);
uint64_t n_packets_tmp = ffio_read_varlen(pb);
if (size_tmp > INT_MAX || n_packets_tmp > INT_MAX)
goto error;
viv->sb_blocks[i].byte_offset = off; viv->sb_blocks[i].byte_offset = off;
viv->sb_blocks[i].packet_offset = poff; viv->sb_blocks[i].packet_offset = poff;
viv->sb_blocks[i].size = ffio_read_varlen(pb); viv->sb_blocks[i].size = size_tmp;
viv->sb_blocks[i].n_packets = ffio_read_varlen(pb); viv->sb_blocks[i].n_packets = n_packets_tmp;
off += viv->sb_blocks[i].size; off += viv->sb_blocks[i].size;
poff += viv->sb_blocks[i].n_packets; poff += viv->sb_blocks[i].n_packets;
if (maxnp < viv->sb_blocks[i].n_packets) if (maxnp < viv->sb_blocks[i].n_packets)
maxnp = viv->sb_blocks[i].n_packets; maxnp = viv->sb_blocks[i].n_packets;
} }
if (filesize > 0 && poff > filesize)
goto error;
viv->sb_entries = av_calloc(maxnp, sizeof(VIV_SB_entry)); viv->sb_entries = av_calloc(maxnp, sizeof(VIV_SB_entry));
av_free(pb); av_free(pb);
return 0; return 0;
error:
av_free(pb);
viv->n_sb_blocks = 0;
av_freep(&viv->sb_blocks);
return AVERROR_INVALIDDATA;
} }
static void load_sb_block(AVFormatContext *s, VividasDemuxContext *viv, unsigned expected_size) static void load_sb_block(AVFormatContext *s, VividasDemuxContext *viv, unsigned expected_size)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment