On Thu, Jul 6, 2023 at 4:28 AM Thilo Borgmann <thilo.borgm...@mail.de> wrote:
>
> ---
> libavcodec/webp_parser.c | 132 ++++++++++++++++++++++++++-------------
> 1 file changed, 90 insertions(+), 42 deletions(-)
>
> [...]
> + } else {
> + /* read the next tag */
> + ctx->remaining_file_size--;
> + if (ctx->remaining_file_size == 0) {
> ctx->pc.frame_start_found = 0;
> continue;
> }
> ctx->pc.frame_start_found++;
> - ctx->remaining_size = ctx->fsize + i - 15;
> - if (ctx->pc.index + i > 15) {
> - next = i - 15;
> - state = 0;
> - break;
> - } else {
> - ctx->pc.state64 = 0;
> - goto restart;
> + if (ctx->pc.frame_start_found < 8)
> + continue;
> +
> + switch (state >> 32) {
> + case MKBETAG('A', 'N', 'M', 'F'):
> + case MKBETAG('V', 'P', '8', ' '):
> + case MKBETAG('V', 'P', '8', 'L'):
No indent on the case statements.
> + if (ctx->frame) {
> + ctx->frame = 0;
> + next = i - 8;
> + state = 0;
> + ctx->pc.frame_start_found = 0;
> + goto flush;
> + }
> + ctx->frame = 1;
> + break;
> + default:
> + break;
> }
> - } else if (ctx->pc.frame_start_found)
> - ctx->pc.frame_start_found++;
> - }
> - ctx->pc.state64 = state;
> - } else {
> - if (ctx->remaining_size) {
> - i = FFMIN(ctx->remaining_size, buf_size);
> - ctx->remaining_size -= i;
> - if (ctx->remaining_size)
> - goto flush;
>
> - ctx->pc.frame_start_found = 0;
> - goto restart;
> + ctx->remaining_tag_size = av_bswap32(state);
> + ctx->remaining_tag_size += ctx->remaining_tag_size & 1;
> + if (ctx->remaining_tag_size > ctx->remaining_file_size) {
> + /* this is probably trash at the end of file */
This would instead mean the file was truncated if remaining_tag_size
fits within the RIFF chunk size. Parsing also looks like it can
continue past the end of the RIFF chunk.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
