Commit 6902c3ac authored by Michael Niedermayer's avatar Michael Niedermayer

Merge commit '870e7552'

* commit '870e7552':
  matroskadec: validate lace_size when parsed
Merged-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parents 2f39d7ff 870e7552
...@@ -1980,11 +1980,19 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, ...@@ -1980,11 +1980,19 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
} }
total += lace_size[n]; total += lace_size[n];
} }
if (size <= total) {
res = AVERROR_INVALIDDATA;
goto end;
}
lace_size[n] = size - total; lace_size[n] = size - total;
break; break;
} }
case 0x2: /* fixed-size lacing */ case 0x2: /* fixed-size lacing */
if (size != (size / laces) * size) {
res = AVERROR_INVALIDDATA;
goto end;
}
for (n = 0; n < laces; n++) for (n = 0; n < laces; n++)
lace_size[n] = size / laces; lace_size[n] = size / laces;
break; break;
...@@ -1995,7 +2003,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, ...@@ -1995,7 +2003,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
if (n < 0) { if (n < 0) {
av_log(matroska->ctx, AV_LOG_INFO, av_log(matroska->ctx, AV_LOG_INFO,
"EBML block data error\n"); "EBML block data error\n");
break; res = n;
goto end;
} }
data += n; data += n;
size -= n; size -= n;
...@@ -2007,13 +2016,18 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, ...@@ -2007,13 +2016,18 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
if (r < 0) { if (r < 0) {
av_log(matroska->ctx, AV_LOG_INFO, av_log(matroska->ctx, AV_LOG_INFO,
"EBML block data error\n"); "EBML block data error\n");
break; res = r;
goto end;
} }
data += r; data += r;
size -= r; size -= r;
lace_size[n] = lace_size[n - 1] + snum; lace_size[n] = lace_size[n - 1] + snum;
total += lace_size[n]; total += lace_size[n];
} }
if (size <= total) {
res = AVERROR_INVALIDDATA;
goto end;
}
lace_size[laces - 1] = size - total; lace_size[laces - 1] = size - total;
break; break;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment