aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat
diff options
context:
space:
mode:
authorMatt Wolenetz <wolenetz@google.com>2019-07-25 15:54:49 -0700
committerMichael Niedermayer <michael@niedermayer.cc>2019-11-11 20:18:46 +0100
commit1ed2fae5d61a4d84f1156f344893067ed82d530d (patch)
tree47e820e96149ba8a08afe5eb26e10373e0976079 /libavformat
parent7cba8c65bd9b80fcbab9e0bd11fe63a3f539cc1e (diff)
downloadffmpeg-1ed2fae5d61a4d84f1156f344893067ed82d530d.tar.gz
lafv/wavdec: Fail bext parsing on incomplete reads
avio_read can successfully return even when less than the requested amount of input was read. wavdec's bext parsing mistakenly assumed a successful avio_read always read the full amount that was requested. The result could be dictionary tags populated with partially uninitialized values. This change also fixes a broken assertion in wav_parse_bext_string that was off-by-one, though no known current usage of that method hits that broken case. Chromium bug: 987270 Signed-off-by: Matt Wolenetz <wolenetz@chromium.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 052d41377a02f480f8e7135c0f7d418e9a405215) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavformat')
-rw-r--r--libavformat/wavdec.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c
index e280be4d44..08b6f27e9d 100644
--- a/libavformat/wavdec.c
+++ b/libavformat/wavdec.c
@@ -232,9 +232,9 @@ static inline int wav_parse_bext_string(AVFormatContext *s, const char *key,
char temp[257];
int ret;
- av_assert0(length <= sizeof(temp));
- if ((ret = avio_read(s->pb, temp, length)) < 0)
- return ret;
+ av_assert0(length < sizeof(temp));
+ if ((ret = avio_read(s->pb, temp, length)) != length)
+ return ret < 0 ? ret : AVERROR_INVALIDDATA;
temp[length] = 0;
@@ -303,8 +303,10 @@ static int wav_parse_bext_tag(AVFormatContext *s, int64_t size)
if (!(coding_history = av_malloc(size + 1)))
return AVERROR(ENOMEM);
- if ((ret = avio_read(s->pb, coding_history, size)) < 0)
- return ret;
+ if ((ret = avio_read(s->pb, coding_history, size)) != size) {
+ av_free(coding_history);
+ return ret < 0 ? ret : AVERROR_INVALIDDATA;
+ }
coding_history[size] = 0;
if ((ret = av_dict_set(&s->metadata, "coding_history", coding_history,