diff options
| author | Justin Ruggles <[email protected]> | 2009-10-13 00:19:34 +0000 |
|---|---|---|
| committer | Justin Ruggles <[email protected]> | 2009-10-13 00:19:34 +0000 |
| commit | 24c6f152c44bc27b26cee77d4d3395137c40b61e (patch) | |
| tree | 1c64d4da96a6373bc0239ca4681ad173fbbf37ef | |
| parent | dd9d5a1ef807db42aa71c3416cf95e859ebf85ce (diff) | |
Do not read data past the end of the SSND chunk in the AIFF demuxer.
Fixes Issue 1455.
Originally committed as revision 20219 to svn://svn.ffmpeg.org/ffmpeg/trunk
| -rw-r--r-- | libavformat/aiff.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/libavformat/aiff.c b/libavformat/aiff.c index 570e05d4e3..b9ee595805 100644 --- a/libavformat/aiff.c +++ b/libavformat/aiff.c @@ -46,6 +46,10 @@ static const AVCodecTag codec_aiff_tags[] = { #define AIFF 0 #define AIFF_C_VERSION1 0xA2805140 +typedef struct { + int64_t data_end; +} AIFFInputContext; + static enum CodecID aiff_codec_get_id(int bps) { if (bps <= 8) @@ -314,6 +318,7 @@ static int aiff_read_header(AVFormatContext *s, unsigned version = AIFF_C_VERSION1; ByteIOContext *pb = s->pb; AVStream * st; + AIFFInputContext *aiff = s->priv_data; /* check FORM header */ filesize = get_tag(pb, &tag); @@ -366,6 +371,7 @@ static int aiff_read_header(AVFormatContext *s, get_meta(s, "comment" , size); break; case MKTAG('S', 'S', 'N', 'D'): /* Sampled sound chunk */ + aiff->data_end = url_ftell(pb) + size; offset = get_be32(pb); /* Offset of sound data */ get_be32(pb); /* BlockSize... don't care */ offset += url_ftell(pb); /* Compute absolute data offset */ @@ -420,10 +426,18 @@ static int aiff_read_packet(AVFormatContext *s, AVPacket *pkt) { AVStream *st = s->streams[0]; + AIFFInputContext *aiff = s->priv_data; + int64_t max_size; int res; + /* calculate size of remaining data */ + max_size = aiff->data_end - url_ftell(s->pb); + if (max_size <= 0) + return AVERROR_EOF; + /* Now for that packet */ - res = av_get_packet(s->pb, pkt, (MAX_SIZE / st->codec->block_align) * st->codec->block_align); + max_size = FFMIN(max_size, (MAX_SIZE / st->codec->block_align) * st->codec->block_align); + res = av_get_packet(s->pb, pkt, max_size); if (res < 0) return res; @@ -436,7 +450,7 @@ static int aiff_read_packet(AVFormatContext *s, AVInputFormat aiff_demuxer = { "aiff", NULL_IF_CONFIG_SMALL("Audio IFF"), - 0, + sizeof(AIFFInputContext), aiff_probe, aiff_read_header, aiff_read_packet, |