diff options
author | Måns Rullgård <mans@mansr.com> | 2007-10-10 22:59:31 +0000 |
---|---|---|
committer | Måns Rullgård <mans@mansr.com> | 2007-10-10 22:59:31 +0000 |
commit | f5475e1b38a37c6da2e26097242cf82a2b1a9ee9 (patch) | |
tree | c09d5fde14f9b2e6fbe917f8ee7c8c0ac167c2b2 | |
parent | 62f2c069b8da6d71896e8ef96b333a3a3d446167 (diff) | |
download | ffmpeg-f5475e1b38a37c6da2e26097242cf82a2b1a9ee9.tar.gz |
fix buffer overread with invalid Vorbis header
Originally committed as revision 10705 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r-- | libavformat/oggparsevorbis.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index be8dd3fca6..8d09cbd487 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -32,17 +32,17 @@ extern int vorbis_comment(AVFormatContext * as, uint8_t *buf, int size) { - char *p = buf; - int s, n, j; + uint8_t *p = buf; + unsigned s, n, j; - if (size < 4) + if (size < 8) /* must have vendor_length and user_comment_list_length */ return -1; s = AV_RL32(p); p += 4; size -= 4; - if (size < s + 4) + if (size - 4 < s) return -1; p += s; @@ -174,12 +174,19 @@ vorbis_header (AVFormatContext * s, int idx) return 0; } + if (os->psize < 1) + return -1; + priv = os->private; priv->len[os->seq] = os->psize; priv->packet[os->seq] = av_mallocz(os->psize); memcpy(priv->packet[os->seq], os->buf + os->pstart, os->psize); if (os->buf[os->pstart] == 1) { uint8_t *p = os->buf + os->pstart + 11; //skip up to the audio channels + + if (os->psize != 30) + return -1; + st->codec->channels = *p++; st->codec->sample_rate = AV_RL32(p); p += 8; //skip maximum and and nominal bitrate @@ -191,7 +198,8 @@ vorbis_header (AVFormatContext * s, int idx) st->time_base.num = 1; st->time_base.den = st->codec->sample_rate; } else if (os->buf[os->pstart] == 3) { - vorbis_comment (s, os->buf + os->pstart + 7, os->psize - 8); + if (os->psize > 8) + vorbis_comment (s, os->buf + os->pstart + 7, os->psize - 8); } else { st->codec->extradata_size = fixup_vorbis_headers(s, priv, &st->codec->extradata); |