Mercurial > libavformat.hg

comparison rm.c @ 1079:40e81416015d libavformat

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
sanity checks some might have been exploitable
author michael
date Sat, 13 May 2006 11:37:56 +0000
parents d2e5dfdf4def
children d187ac890c0e
comparison
equal deleted inserted replaced
1078:0bc9422cc0ad 1079:40e81416015d
553 } else if (!strcmp(buf, "28_8")) { 553 } else if (!strcmp(buf, "28_8")) {
554 st->codec->codec_id = CODEC_ID_RA_288; 554 st->codec->codec_id = CODEC_ID_RA_288;
555 st->codec->extradata_size= 0; 555 st->codec->extradata_size= 0;
556 rm->audio_framesize = st->codec->block_align; 556 rm->audio_framesize = st->codec->block_align;
557 st->codec->block_align = coded_framesize; 557 st->codec->block_align = coded_framesize;
558
559 if(rm->audio_framesize >= UINT_MAX / sub_packet_h){
560 av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h too large\n");
561 return -1;
562 }
563
558 rm->audiobuf = av_malloc(rm->audio_framesize * sub_packet_h); 564 rm->audiobuf = av_malloc(rm->audio_framesize * sub_packet_h);
559 } else if (!strcmp(buf, "cook")) { 565 } else if (!strcmp(buf, "cook")) {
560 int codecdata_length, i; 566 int codecdata_length, i;
561 get_be16(pb); get_byte(pb); 567 get_be16(pb); get_byte(pb);
562 if (((version >> 16) & 0xff) == 5) 568 if (((version >> 16) & 0xff) == 5)
563 get_byte(pb); 569 get_byte(pb);
564 codecdata_length = get_be32(pb); 570 codecdata_length = get_be32(pb);
571 if(codecdata_length + FF_INPUT_BUFFER_PADDING_SIZE <= (unsigned)codecdata_length){
572 av_log(s, AV_LOG_ERROR, "codecdata_length too large\n");
573 return -1;
574 }
575
565 st->codec->codec_id = CODEC_ID_COOK; 576 st->codec->codec_id = CODEC_ID_COOK;
566 st->codec->extradata_size= codecdata_length; 577 st->codec->extradata_size= codecdata_length;
567 st->codec->extradata= av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); 578 st->codec->extradata= av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
568 for(i = 0; i < codecdata_length; i++) 579 for(i = 0; i < codecdata_length; i++)
569 ((uint8_t*)st->codec->extradata)[i] = get_byte(pb); 580 ((uint8_t*)st->codec->extradata)[i] = get_byte(pb);
570 rm->audio_framesize = st->codec->block_align; 581 rm->audio_framesize = st->codec->block_align;
571 st->codec->block_align = rm->sub_packet_size; 582 st->codec->block_align = rm->sub_packet_size;
583
584 if(rm->audio_framesize >= UINT_MAX / sub_packet_h){
585 av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h too large\n");
586 return -1;
587 }
588
572 rm->audiobuf = av_malloc(rm->audio_framesize * sub_packet_h); 589 rm->audiobuf = av_malloc(rm->audio_framesize * sub_packet_h);
573 } else { 590 } else {
574 st->codec->codec_id = CODEC_ID_NONE; 591 st->codec->codec_id = CODEC_ID_NONE;
575 pstrcpy(st->codec->codec_name, sizeof(st->codec->codec_name), 592 pstrcpy(st->codec->codec_name, sizeof(st->codec->codec_name),
576 buf); 593 buf);
713 get_be32(pb); 730 get_be32(pb);
714 fps2= get_be16(pb); 731 fps2= get_be16(pb);
715 get_be16(pb); 732 get_be16(pb);
716 733
717 st->codec->extradata_size= codec_data_size - (url_ftell(pb) - codec_pos); 734 st->codec->extradata_size= codec_data_size - (url_ftell(pb) - codec_pos);
735
736 if(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE <= (unsigned)st->codec->extradata_size){
737 //check is redundant as get_buffer() will catch this
738 av_log(s, AV_LOG_ERROR, "st->codec->extradata_size too large\n");
739 return -1;
740 }
718 st->codec->extradata= av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); 741 st->codec->extradata= av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
719 get_buffer(pb, st->codec->extradata, st->codec->extradata_size); 742 get_buffer(pb, st->codec->extradata, st->codec->extradata_size);
720 743
721 // av_log(NULL, AV_LOG_DEBUG, "fps= %d fps2= %d\n", fps, fps2); 744 // av_log(NULL, AV_LOG_DEBUG, "fps= %d fps2= %d\n", fps, fps2);
722 st->codec->time_base.den = fps * st->codec->time_base.num; 745 st->codec->time_base.den = fps * st->codec->time_base.num;