diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-09-20 19:11:41 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2012-09-20 19:11:46 +0200 |
| commit | 6902c3acb0e1cd80fd40312a2053a86967708f35 (patch) | |
| tree | 182dddb3c638b4372e9dcab20b66d908df9552ba | |
| parent | 2f39d7ff3fc2a5d427f9576fcc83f58c2e7d6a4f (diff) | |
| parent | 870e75524aa0d00ebcd1d15589c8d29b84af1565 (diff) | |
| download | ffmpeg-6902c3acb0e1cd80fd40312a2053a86967708f35.tar.gz | |
Merge commit '870e75524aa0d00ebcd1d15589c8d29b84af1565'
* commit '870e75524aa0d00ebcd1d15589c8d29b84af1565':
matroskadec: validate lace_size when parsed
Merged-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavformat/matroskadec.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 2a88fc3db4..6330b15ecf 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1980,11 +1980,19 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, } total += lace_size[n]; } + if (size <= total) { + res = AVERROR_INVALIDDATA; + goto end; + } lace_size[n] = size - total; break; } case 0x2: /* fixed-size lacing */ + if (size != (size / laces) * size) { + res = AVERROR_INVALIDDATA; + goto end; + } for (n = 0; n < laces; n++) lace_size[n] = size / laces; break; @@ -1995,7 +2003,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, if (n < 0) { av_log(matroska->ctx, AV_LOG_INFO, "EBML block data error\n"); - break; + res = n; + goto end; } data += n; size -= n; @@ -2007,13 +2016,18 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, if (r < 0) { av_log(matroska->ctx, AV_LOG_INFO, "EBML block data error\n"); - break; + res = r; + goto end; } data += r; size -= r; lace_size[n] = lace_size[n - 1] + snum; total += lace_size[n]; } + if (size <= total) { + res = AVERROR_INVALIDDATA; + goto end; + } lace_size[laces - 1] = size - total; break; } |