oma: Fix out of array read.

Input: 01-Untitled-partial.oma ZZUF params: zzuf[s=7157,r=0.001] Fixes Bugzilla #106 Bug-found-by: darkshikari Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
author: Michael Niedermayer <michaelni@gmx.at> 2012-03-18 14:53:09 -0400
committer: Ronald S. Bultje <rsbultje@gmail.com> 2012-03-18 15:01:58 -0700
commit: 72ec043af4510723c53c729a67be482a14b7c7f3 (patch)
tree: 43a0719abf656e4edec75f59fe1a311d4121954c
parent: a56fba502e9087c204b7d6cdc8e12d623f77d66d (diff)
download: ffmpeg-72ec043af4510723c53c729a67be482a14b7c7f3.tar.gz
1 files changed, 6 insertions, 3 deletions
diff --git a/libavformat/omadec.c b/libavformat/omadec.c
index 810e970c11..022942d242 100644
--- a/libavformat/omadec.c
+++ b/libavformat/omadec.c
@@ -140,7 +140,7 @@ static int rprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *r_val)
     return memcmp(&enc_header[pos], oc->sm_val, 8) ? -1 : 0;
 }
 
-static int nprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *n_val)
+static int nprobe(AVFormatContext *s, uint8_t *enc_header, int size, const uint8_t *n_val)
 {
     OMAContext *oc = s->priv_data;
     uint32_t pos, taglen, datalen;
@@ -159,6 +159,9 @@ static int nprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *n_val)
     taglen = AV_RB32(&enc_header[pos+32]);
     datalen = AV_RB32(&enc_header[pos+36]) >> 4;
 
+    if(taglen + (((uint64_t)datalen)<<4) + 44 > size)
+        return -1;
+
     pos += 44 + taglen;
 
     av_des_init(&av_des, n_val, 192, 1);
@@ -229,14 +232,14 @@ static int decrypt_init(AVFormatContext *s, ID3v2ExtraMeta *em, uint8_t *header)
     }
     if (!memcmp(oc->r_val, (const uint8_t[8]){0}, 8) ||
         rprobe(s, gdata, oc->r_val) < 0 &&
-        nprobe(s, gdata, oc->n_val) < 0) {
+        nprobe(s, gdata, geob->datasize, oc->n_val) < 0) {
         int i;
         for (i = 0; i < FF_ARRAY_ELEMS(leaf_table); i += 2) {
             uint8_t buf[16];
             AV_WL64(buf, leaf_table[i]);
             AV_WL64(&buf[8], leaf_table[i+1]);
             kset(s, buf, buf, 16);
-            if (!rprobe(s, gdata, oc->r_val) || !nprobe(s, gdata, oc->n_val))
+            if (!rprobe(s, gdata, oc->r_val) || !nprobe(s, gdata, geob->datasize, oc->n_val))
                 break;
         }
         if (i >= sizeof(leaf_table)) {
author	Michael Niedermayer <michaelni@gmx.at>	2012-03-18 14:53:09 -0400
committer	Ronald S. Bultje <rsbultje@gmail.com>	2012-03-18 15:01:58 -0700
commit	72ec043af4510723c53c729a67be482a14b7c7f3 (patch)
tree	43a0719abf656e4edec75f59fe1a311d4121954c
parent	a56fba502e9087c204b7d6cdc8e12d623f77d66d (diff)
download	ffmpeg-72ec043af4510723c53c729a67be482a14b7c7f3.tar.gz