Mercurial > libavformat.hg
changeset 3511:34a5e6f576fd libavformat
Fix exploitable code.
Fixes issue311
author | michael |
---|---|
date | Thu, 26 Jun 2008 22:22:10 +0000 |
parents | ac8b6b83e61e |
children | 5a60e9f9f5d6 |
files | psxstr.c |
diffstat | 1 files changed, 21 insertions(+), 10 deletions(-) [+] |
line wrap: on
line diff
--- a/psxstr.c Thu Jun 26 13:42:26 2008 +0000 +++ b/psxstr.c Thu Jun 26 22:22:10 2008 +0000 @@ -274,12 +274,23 @@ int current_sector = AV_RL16(§or[0x1C]); int sector_count = AV_RL16(§or[0x1E]); int frame_size = AV_RL32(§or[0x24]); - int bytes_to_copy; + + if(!( frame_size>=0 + && current_sector < sector_count + && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){ + av_log(s, AV_LOG_ERROR, "Invalid parameters %d %d %d\n", current_sector, sector_count, frame_size); + return AVERROR_INVALIDDATA; + } + // printf("%d %d %d\n",current_sector,sector_count,frame_size); /* if this is the first sector of the frame, allocate a pkt */ pkt = &str->tmp_pkt; - if (current_sector == 0) { - if (av_new_packet(pkt, frame_size)) + + if(pkt->size != sector_count*VIDEO_DATA_CHUNK_SIZE){ + if(pkt->data) + av_log(s, AV_LOG_ERROR, "missmatching sector_count\n"); + av_free_packet(pkt); + if (av_new_packet(pkt, sector_count*VIDEO_DATA_CHUNK_SIZE)) return AVERROR(EIO); pkt->pos= url_ftell(pb) - RAW_CD_SECTOR_SIZE; @@ -293,15 +304,15 @@ str->pts += (90000 / 15); } - /* load all the constituent chunks in the video packet */ - bytes_to_copy = frame_size - current_sector*VIDEO_DATA_CHUNK_SIZE; - if (bytes_to_copy>0) { - if (bytes_to_copy>VIDEO_DATA_CHUNK_SIZE) bytes_to_copy=VIDEO_DATA_CHUNK_SIZE; - memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE, - sector + VIDEO_DATA_HEADER_SIZE, bytes_to_copy); - } + memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE, + sector + VIDEO_DATA_HEADER_SIZE, + VIDEO_DATA_CHUNK_SIZE); + if (current_sector == sector_count-1) { + pkt->size= frame_size; *ret_pkt = *pkt; + pkt->data= NULL; + pkt->size= -1; return 0; }