On Wed, Dec 07, 2011 at 08:51:14AM +0000, Paul B. Mahol wrote:
> This demuxer is prone to cause segfaults/hangs with invalid/malicious TTA
> files.
> This patch ambitiously attempts/fails to resolve all of them.
> diff --git a/libavformat/tta.c b/libavformat/tta.c
> index 37a359b..350352f 100644
> --- a/libavformat/tta.c
> +++ b/libavformat/tta.c
> @@ -90,6 +90,8 @@ static int tta_read_header(AVFormatContext *s,
> AVFormatParameters *ap)
>
> for (i = 0; i < c->totalframes; i++) {
> uint32_t size = avio_rl32(s->pb);
> + if (s->pb->eof_reached)
> + return AVERROR(EIO);
> av_add_index_entry(st, framepos, i*framelen, size, 0,
> AVINDEX_KEYFRAME);
> framepos += size;
> }
> @@ -124,15 +126,21 @@ static int tta_read_packet(AVFormatContext *s, AVPacket
> *pkt)
> AVStream *st = s->streams[0];
> int size, ret;
>
> + if (s->pb->eof_reached)
> + return AVERROR(EIO);
> // FIXME!
> if (c->currentframe > c->totalframes)
> return -1;
>
> + if (!st->index_entries)
> + return -1;
it's better to check for c->totalframes == 0 in tta_read_header() IMO
> size = st->index_entries[c->currentframe].size;
>
> ret = av_get_packet(s->pb, pkt, size);
> + if (ret <= 0)
> + return AVERROR(EIO);
maybe even ret != size
> pkt->dts = st->index_entries[c->currentframe++].timestamp;
> - return ret;
> + return 0;
> }
>
> static int tta_read_seek(AVFormatContext *s, int stream_index, int64_t
> timestamp, int flags)
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
