thpdemux: Check that packed sizes are within the files data size and filesize.

Fixes Ticket774 Bug found by: Diana Elena Muscalu Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

thpdemux: Check that packed sizes are within the files data size and filesize.
Fixes Ticket774 Bug found by: Diana Elena Muscalu Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
482ee636 · Michael Niedermayer · e098fba5 · 482ee636
Commit 482ee636 authored Dec 16, 2011 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 3 deletions

thp.c libavformat/thp.c +16 -3

No files found.
--- a/libavformat/thp.c
+++ b/libavformat/thp.c
@@ -26,6 +26,7 @@
 typedef struct ThpDemuxContext {
    int              version;
+    unsigned         data_size;
    int              first_frame;
    int              first_framesz;
    int              last_frame;
@@ -41,7 +42,7 @@ typedef struct ThpDemuxContext {
    unsigned char    components[16];
    AVStream*        vst;
    int              has_audio;
-    int              audiosize;
+    unsigned         audiosize;
 } ThpDemuxContext;
@@ -60,6 +61,7 @@ static int thp_read_header(AVFormatContext *s,
    ThpDemuxContext *thp = s->priv_data;
    AVStream *st;
    AVIOContext *pb = s->pb;
+    int64_t fsize= avio_size(pb);
    int i;
    /* Read the file header.  */
@@ -72,7 +74,9 @@ static int thp_read_header(AVFormatContext *s,
    thp->fps             = av_d2q(av_int2float(avio_rb32(pb)), INT_MAX);
    thp->framecnt        = avio_rb32(pb);
    thp->first_framesz   = avio_rb32(pb);
-                           avio_rb32(pb); /* Data size.  */
+    thp->data_size       = avio_rb32(pb);
+    if(fsize>0 && (!thp->data_size || fsize < thp->data_size))
+        thp->data_size= fsize;
    thp->compoff         = avio_rb32(pb);
                           avio_rb32(pb); /* offsetDataOffset.  */
@@ -143,7 +147,7 @@ static int thp_read_packet(AVFormatContext *s,
 {
    ThpDemuxContext *thp = s->priv_data;
    AVIOContext *pb = s->pb;
-    int size;
+    unsigned int size;
    int ret;
    if (thp->audiosize == 0) {
@@ -159,6 +163,10 @@ static int thp_read_packet(AVFormatContext *s,
                        avio_rb32(pb); /* Previous total size.  */
        size          = avio_rb32(pb); /* Total size of this frame.  */
+        if(thp->data_size && avio_tell(pb) + size > thp->data_size) {
+            av_log(s, AV_LOG_ERROR, "Video packet truncated\n");
+            size= thp->data_size - avio_tell(pb);
+        }
        /* Store the audiosize so the next time this function is called,
           the audio can be read.  */
@@ -175,6 +183,11 @@ static int thp_read_packet(AVFormatContext *s,
        pkt->stream_index = thp->video_stream_index;
    } else {
+        if(thp->data_size && avio_tell(pb) + thp->audiosize > thp->data_size){
+            av_log(s, AV_LOG_ERROR, "Audio packet truncated\n");
+            thp->audiosize= thp->data_size - avio_tell(pb);
+        }
        ret = av_get_packet(pb, pkt, thp->audiosize);
        if (ret != thp->audiosize) {
            av_free_packet(pkt);