Commit cced03dd authored by Michael Niedermayer's avatar Michael Niedermayer

avformat/mms: Add missing chunksize check

Fixes: out of array read
Fixes: mms-crash-01b6c5d85f9d9f40f4e879896103e9f5b222816a
Found-by: 's avatarPaul Ch <paulcher@icloud.com>
1st hunk by Paul Ch <paulcher@icloud.com>
Tested-by: 's avatarPaul Ch <paulcher@icloud.com>
Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent a2317556
...@@ -94,6 +94,7 @@ int ff_mms_asf_header_parser(MMSContext *mms) ...@@ -94,6 +94,7 @@ int ff_mms_asf_header_parser(MMSContext *mms)
} }
} }
} else if (!memcmp(p, ff_asf_stream_header, sizeof(ff_asf_guid))) { } else if (!memcmp(p, ff_asf_stream_header, sizeof(ff_asf_guid))) {
if (end - p >= (sizeof(ff_asf_guid) * 3 + 26)) {
flags = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24); flags = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24);
stream_id = flags & 0x7F; stream_id = flags & 0x7F;
//The second condition is for checking CS_PKT_STREAM_ID_REQUEST packet size, //The second condition is for checking CS_PKT_STREAM_ID_REQUEST packet size,
...@@ -113,6 +114,7 @@ int ff_mms_asf_header_parser(MMSContext *mms) ...@@ -113,6 +114,7 @@ int ff_mms_asf_header_parser(MMSContext *mms)
"Corrupt stream (too many A/V streams)\n"); "Corrupt stream (too many A/V streams)\n");
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
}
} else if (!memcmp(p, ff_asf_ext_stream_header, sizeof(ff_asf_guid))) { } else if (!memcmp(p, ff_asf_ext_stream_header, sizeof(ff_asf_guid))) {
if (end - p >= 88) { if (end - p >= 88) {
int stream_count = AV_RL16(p + 84), ext_len_count = AV_RL16(p + 86); int stream_count = AV_RL16(p + 84), ext_len_count = AV_RL16(p + 86);
...@@ -143,6 +145,12 @@ int ff_mms_asf_header_parser(MMSContext *mms) ...@@ -143,6 +145,12 @@ int ff_mms_asf_header_parser(MMSContext *mms)
} }
} else if (!memcmp(p, ff_asf_head1_guid, sizeof(ff_asf_guid))) { } else if (!memcmp(p, ff_asf_head1_guid, sizeof(ff_asf_guid))) {
chunksize = 46; // see references [2] section 3.4. This should be set 46. chunksize = 46; // see references [2] section 3.4. This should be set 46.
if (chunksize > end - p) {
av_log(NULL, AV_LOG_ERROR,
"Corrupt stream (header chunksize %"PRId64" is invalid)\n",
chunksize);
return AVERROR_INVALIDDATA;
}
} }
p += chunksize; p += chunksize;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment