changeset 3511:34a5e6f576fd libavformat

Fix exploitable code. Fixes issue311
author michael
date Thu, 26 Jun 2008 22:22:10 +0000
parents ac8b6b83e61e
children 5a60e9f9f5d6
files psxstr.c
diffstat 1 files changed, 21 insertions(+), 10 deletions(-) [+]
line wrap: on
line diff
--- a/psxstr.c	Thu Jun 26 13:42:26 2008 +0000
+++ b/psxstr.c	Thu Jun 26 22:22:10 2008 +0000
@@ -274,12 +274,23 @@
                 int current_sector = AV_RL16(&sector[0x1C]);
                 int sector_count   = AV_RL16(&sector[0x1E]);
                 int frame_size = AV_RL32(&sector[0x24]);
-                int bytes_to_copy;
+
+                if(!(   frame_size>=0
+                     && current_sector < sector_count
+                     && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){
+                    av_log(s, AV_LOG_ERROR, "Invalid parameters %d %d %d\n", current_sector, sector_count, frame_size);
+                    return AVERROR_INVALIDDATA;
+                }
+
 //        printf("%d %d %d\n",current_sector,sector_count,frame_size);
                 /* if this is the first sector of the frame, allocate a pkt */
                 pkt = &str->tmp_pkt;
-                if (current_sector == 0) {
-                    if (av_new_packet(pkt, frame_size))
+
+                if(pkt->size != sector_count*VIDEO_DATA_CHUNK_SIZE){
+                    if(pkt->data)
+                        av_log(s, AV_LOG_ERROR, "missmatching sector_count\n");
+                    av_free_packet(pkt);
+                    if (av_new_packet(pkt, sector_count*VIDEO_DATA_CHUNK_SIZE))
                         return AVERROR(EIO);
 
                     pkt->pos= url_ftell(pb) - RAW_CD_SECTOR_SIZE;
@@ -293,15 +304,15 @@
                        str->pts += (90000 / 15);
                 }
 
-                /* load all the constituent chunks in the video packet */
-                bytes_to_copy = frame_size - current_sector*VIDEO_DATA_CHUNK_SIZE;
-                if (bytes_to_copy>0) {
-                    if (bytes_to_copy>VIDEO_DATA_CHUNK_SIZE) bytes_to_copy=VIDEO_DATA_CHUNK_SIZE;
-                    memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE,
-                        sector + VIDEO_DATA_HEADER_SIZE, bytes_to_copy);
-                }
+                memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE,
+                       sector + VIDEO_DATA_HEADER_SIZE,
+                       VIDEO_DATA_CHUNK_SIZE);
+
                 if (current_sector == sector_count-1) {
+                    pkt->size= frame_size;
                     *ret_pkt = *pkt;
+                    pkt->data= NULL;
+                    pkt->size= -1;
                     return 0;
                 }