This demuxer is prone to cause segfaults/hangs with invalid/malicious TTA files.
This patch ambitiously attempts/fails to resolve all of them.
diff --git a/libavformat/tta.c b/libavformat/tta.c
index 37a359b..350352f 100644
--- a/libavformat/tta.c
+++ b/libavformat/tta.c
@@ -90,6 +90,8 @@ static int tta_read_header(AVFormatContext *s, AVFormatParameters *ap)
for (i = 0; i < c->totalframes; i++) {
uint32_t size = avio_rl32(s->pb);
+ if (s->pb->eof_reached)
+ return AVERROR(EIO);
av_add_index_entry(st, framepos, i*framelen, size, 0, AVINDEX_KEYFRAME);
framepos += size;
}
@@ -124,15 +126,21 @@ static int tta_read_packet(AVFormatContext *s, AVPacket *pkt)
AVStream *st = s->streams[0];
int size, ret;
+ if (s->pb->eof_reached)
+ return AVERROR(EIO);
// FIXME!
if (c->currentframe > c->totalframes)
return -1;
+ if (!st->index_entries)
+ return -1;
size = st->index_entries[c->currentframe].size;
ret = av_get_packet(s->pb, pkt, size);
+ if (ret <= 0)
+ return AVERROR(EIO);
pkt->dts = st->index_entries[c->currentframe++].timestamp;
- return ret;
+ return 0;
}
static int tta_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags)
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
