Mercurial > mplayer.hg
comparison libmpdemux/demux_ogg.c @ 20494:30fce0f93ad1
Make sure we do not read beyond end of subtitle packet
| author | reimar |
|---|---|
| date | Sun, 29 Oct 2006 13:17:26 +0000 |
| parents | e8d37db54bf5 |
| children | a384688bff57 |
comparison
equal
deleted
inserted
replaced
| 20493:e8d37db54bf5 | 20494:30fce0f93ad1 |
|---|---|
| 229 int lcv; | 229 int lcv; |
| 230 int line_pos = 0; | 230 int line_pos = 0; |
| 231 int ignoring = 0; | 231 int ignoring = 0; |
| 232 char *packet = pack->packet; | 232 char *packet = pack->packet; |
| 233 | 233 |
| 234 if (pack->bytes < 4) | |
| 235 return; | |
| 234 mp_msg(MSGT_DEMUX,MSGL_DBG2,"\ndemux_ogg_add_sub %02X %02X %02X '%s'\n", | 236 mp_msg(MSGT_DEMUX,MSGL_DBG2,"\ndemux_ogg_add_sub %02X %02X %02X '%s'\n", |
| 235 (unsigned char)packet[0], | 237 (unsigned char)packet[0], |
| 236 (unsigned char)packet[1], | 238 (unsigned char)packet[1], |
| 237 (unsigned char)packet[2], | 239 (unsigned char)packet[2], |
| 238 &packet[3]); | 240 &packet[3]); |
| 242 // Find data start | 244 // Find data start |
| 243 int32_t duration = 0; | 245 int32_t duration = 0; |
| 244 int16_t hdrlen = (*packet & PACKET_LEN_BITS01)>>6, i; | 246 int16_t hdrlen = (*packet & PACKET_LEN_BITS01)>>6, i; |
| 245 hdrlen |= (*packet & PACKET_LEN_BITS2) <<1; | 247 hdrlen |= (*packet & PACKET_LEN_BITS2) <<1; |
| 246 lcv = 1 + hdrlen; | 248 lcv = 1 + hdrlen; |
| 249 if (pack->bytes < lcv) | |
| 250 return; | |
| 247 for (i = hdrlen; i > 0; i--) { | 251 for (i = hdrlen; i > 0; i--) { |
| 248 duration <<= 8; | 252 duration <<= 8; |
| 249 duration |= (unsigned char)packet[i]; | 253 duration |= (unsigned char)packet[i]; |
| 250 } | 254 } |
| 251 if ((hdrlen > 0) && (duration > 0)) { | 255 if ((hdrlen > 0) && (duration > 0)) { |
| 255 pts = (float)pack->granulepos/(float)os->samplerate; | 259 pts = (float)pack->granulepos/(float)os->samplerate; |
| 256 clear_sub = 1.0 + pts + (float)duration/1000.0; | 260 clear_sub = 1.0 + pts + (float)duration/1000.0; |
| 257 } | 261 } |
| 258 ogg_sub.text[0] = realloc(ogg_sub.text[0], OGG_SUB_MAX_LINE); | 262 ogg_sub.text[0] = realloc(ogg_sub.text[0], OGG_SUB_MAX_LINE); |
| 259 while (1) { | 263 while (1) { |
| 260 int c = packet[lcv++]; | 264 int c = lcv < pack->bytes ? packet[lcv++] : 0; |
| 261 if(c=='\n' || c==0 || line_pos >= OGG_SUB_MAX_LINE-1){ | 265 if(c=='\n' || c==0 || line_pos >= OGG_SUB_MAX_LINE-1){ |
| 262 ogg_sub.text[ogg_sub.lines][line_pos] = 0; // close sub | 266 ogg_sub.text[ogg_sub.lines][line_pos] = 0; // close sub |
| 263 if(line_pos) { | 267 if(line_pos) { |
| 264 ogg_sub.lines++; | 268 ogg_sub.lines++; |
| 265 ogg_sub.text[ogg_sub.lines] = realloc(ogg_sub.text[ogg_sub.lines], OGG_SUB_MAX_LINE); | 269 ogg_sub.text[ogg_sub.lines] = realloc(ogg_sub.text[ogg_sub.lines], OGG_SUB_MAX_LINE); |