diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2007-01-22 03:19:00 +0000 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2007-01-22 03:19:00 +0000 |
commit | 0521946359241bbd72d6a226351c8812c1730b11 (patch) | |
tree | d2eb1cb28308d9c00a5c049685d5ee5e216396ff /libavformat/asf.c | |
parent | 2c86a5786aaee2eab16a5420ecd622699880a0ce (diff) | |
download | ffmpeg-0521946359241bbd72d6a226351c8812c1730b11.tar.gz |
adding a few checks to the audio packet descrambling, this should hopefully catch all related out of array accesses
note, the original code might have been exploitable
Originally committed as revision 7640 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavformat/asf.c')
-rw-r--r-- | libavformat/asf.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/libavformat/asf.c b/libavformat/asf.c index 217ed57196..3ef1c7d451 100644 --- a/libavformat/asf.c +++ b/libavformat/asf.c @@ -244,7 +244,8 @@ static int asf_read_header(AVFormatContext *s, AVFormatParameters *ap) // asf_st->ds_data_size, asf_st->ds_span, asf_st->ds_silence_data); if (asf_st->ds_span > 1) { if (!asf_st->ds_chunk_size - || (asf_st->ds_packet_size/asf_st->ds_chunk_size <= 1)) + || (asf_st->ds_packet_size/asf_st->ds_chunk_size <= 1) + || asf_st->ds_packet_size % asf_st->ds_chunk_size) asf_st->ds_span = 0; // disable descrambling } switch (st->codec->codec_id) { @@ -702,6 +703,9 @@ static int asf_read_packet(AVFormatContext *s, AVPacket *pkt) if (asf_st->frag_offset == asf_st->pkt.size) { /* return packet */ if (asf_st->ds_span > 1) { + if(asf_st->pkt.size != asf_st->ds_packet_size * asf_st->ds_span){ + av_log(s, AV_LOG_ERROR, "pkt.size != ds_packet_size * ds_span\n"); + }else{ /* packet descrambling */ uint8_t *newdata = av_malloc(asf_st->pkt.size); if (newdata) { @@ -712,6 +716,9 @@ static int asf_read_packet(AVFormatContext *s, AVPacket *pkt) int col = off % asf_st->ds_span; int idx = row + col * asf_st->ds_packet_size / asf_st->ds_chunk_size; //printf("off:%d row:%d col:%d idx:%d\n", off, row, col, idx); + + assert(offset + asf_st->ds_chunk_size <= asf_st->pkt.size); + assert(idx+1 <= asf_st->pkt.size / asf_st->ds_chunk_size); memcpy(newdata + offset, asf_st->pkt.data + idx * asf_st->ds_chunk_size, asf_st->ds_chunk_size); @@ -720,6 +727,7 @@ static int asf_read_packet(AVFormatContext *s, AVPacket *pkt) av_free(asf_st->pkt.data); asf_st->pkt.data = newdata; } + } } asf_st->frag_offset = 0; *pkt= asf_st->pkt; |