diff options
author | Matt Wolenetz <wolenetz@google.com> | 2019-07-25 15:54:49 -0700 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2019-07-26 08:38:09 +0200 |
commit | 052d41377a02f480f8e7135c0f7d418e9a405215 (patch) | |
tree | 45c30777229f0b2812d07b507845d5e50dee86c2 /libavformat/wavdec.c | |
parent | d83a3117e2f0b17a7742ec16d8fb39cddc272375 (diff) | |
download | ffmpeg-052d41377a02f480f8e7135c0f7d418e9a405215.tar.gz |
lafv/wavdec: Fail bext parsing on incomplete reads
avio_read can successfully return even when less than the requested
amount of input was read. wavdec's bext parsing mistakenly assumed a
successful avio_read always read the full amount that was requested.
The result could be dictionary tags populated with partially
uninitialized values.
This change also fixes a broken assertion in wav_parse_bext_string that
was off-by-one, though no known current usage of that method hits that
broken case.
Chromium bug: 987270
Signed-off-by: Matt Wolenetz <wolenetz@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavformat/wavdec.c')
-rw-r--r-- | libavformat/wavdec.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 1b131ee2c1..684efd97f9 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -233,9 +233,9 @@ static inline int wav_parse_bext_string(AVFormatContext *s, const char *key, char temp[257]; int ret; - av_assert0(length <= sizeof(temp)); - if ((ret = avio_read(s->pb, temp, length)) < 0) - return ret; + av_assert0(length < sizeof(temp)); + if ((ret = avio_read(s->pb, temp, length)) != length) + return ret < 0 ? ret : AVERROR_INVALIDDATA; temp[length] = 0; @@ -304,8 +304,10 @@ static int wav_parse_bext_tag(AVFormatContext *s, int64_t size) if (!(coding_history = av_malloc(size + 1))) return AVERROR(ENOMEM); - if ((ret = avio_read(s->pb, coding_history, size)) < 0) - return ret; + if ((ret = avio_read(s->pb, coding_history, size)) != size) { + av_free(coding_history); + return ret < 0 ? ret : AVERROR_INVALIDDATA; + } coding_history[size] = 0; if ((ret = av_dict_set(&s->metadata, "coding_history", coding_history, |