vlc | branch: master | Francois Cartegnie <[email protected]> | Wed Nov 4 10:10:47 2020 +0100| [a4ed34d704ec8721b7d74542324f39c9f2aff508] | committer: Francois Cartegnie
demux: asf: check data object range when reading > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=a4ed34d704ec8721b7d74542324f39c9f2aff508 --- modules/demux/asf/asf.c | 3 ++- modules/demux/asf/asfpacket.c | 17 ++++++++++++++++- modules/demux/asf/asfpacket.h | 2 +- modules/demux/mp4/mp4.c | 3 ++- 4 files changed, 21 insertions(+), 4 deletions(-) diff --git a/modules/demux/asf/asf.c b/modules/demux/asf/asf.c index 4828a77804..8446510fa6 100644 --- a/modules/demux/asf/asf.c +++ b/modules/demux/asf/asf.c @@ -221,7 +221,8 @@ static int Demux( demux_t *p_demux ) /* Read and demux a packet */ if( DemuxASFPacket( &p_sys->packet_sys, p_sys->p_fp->i_min_data_packet_size, - p_sys->p_fp->i_max_data_packet_size ) <= 0 ) + p_sys->p_fp->i_max_data_packet_size, + p_sys->i_data_begin, p_sys->i_data_end ) <= 0 ) { p_sys->b_eos = true; /* Check if we have concatenated files */ diff --git a/modules/demux/asf/asfpacket.c b/modules/demux/asf/asfpacket.c index 0b447352df..1a94dcf0b1 100644 --- a/modules/demux/asf/asfpacket.c +++ b/modules/demux/asf/asfpacket.c @@ -380,10 +380,17 @@ skip: } int DemuxASFPacket( asf_packet_sys_t *p_packetsys, - uint32_t i_data_packet_min, uint32_t i_data_packet_max ) + uint32_t i_data_packet_min, uint32_t i_data_packet_max, + uint64_t i_data_begin, uint64_t i_data_end ) { demux_t *p_demux = p_packetsys->p_demux; + const uint64_t i_read_pos = vlc_stream_Tell( p_demux->s ); + if( i_read_pos < i_data_begin || + i_data_packet_min > i_data_end || + i_read_pos > i_data_end - i_data_packet_min ) + return 0; + const uint8_t *p_peek; ssize_t i_return = vlc_stream_Peek( p_demux->s, &p_peek,i_data_packet_min ); if( i_return <= 0 || (size_t) i_return < i_data_packet_min ) @@ -452,6 +459,14 @@ int DemuxASFPacket( asf_packet_sys_t *p_packetsys, pkt.send_time = VLC_TICK_FROM_MS(GetDWLE( p_peek + i_skip )); i_skip += 4; /* uint16_t i_packet_duration = GetWLE( p_peek + i_skip ); */ i_skip += 2; + if( pkt.length > i_data_end || + i_read_pos > i_data_end - pkt.length ) + { + msg_Warn( p_demux, "pkt size %"PRIu32" at %"PRIu64" does not fit data chunk", + pkt.length, i_read_pos ); + return 0; + } + i_return = vlc_stream_Peek( p_demux->s, &p_peek, pkt.length ); if( i_return <= 0 || pkt.length == 0 || (size_t)i_return < pkt.length ) { diff --git a/modules/demux/asf/asfpacket.h b/modules/demux/asf/asfpacket.h index 9a5af1aa66..ba11d7f56d 100644 --- a/modules/demux/asf/asfpacket.h +++ b/modules/demux/asf/asfpacket.h @@ -57,5 +57,5 @@ struct asf_packet_sys_s void (*pf_setaspectratio)(asf_packet_sys_t *, uint8_t, uint8_t, uint8_t); }; -int DemuxASFPacket( asf_packet_sys_t *, uint32_t, uint32_t ); +int DemuxASFPacket( asf_packet_sys_t *, uint32_t, uint32_t, uint64_t, uint64_t ); #endif diff --git a/modules/demux/mp4/mp4.c b/modules/demux/mp4/mp4.c index 875d8c4d38..152441750d 100644 --- a/modules/demux/mp4/mp4.c +++ b/modules/demux/mp4/mp4.c @@ -719,7 +719,8 @@ static void MP4_Block_Send( demux_t *p_demux, mp4_track_t *p_track, block_t *p_b p_track->i_dts_backup = p_block->i_dts; p_track->i_pts_backup = p_block->i_pts; /* And demux it as ASF packet */ - DemuxASFPacket( &p_sys->asfpacketsys, p_block->i_buffer, p_block->i_buffer ); + DemuxASFPacket( &p_sys->asfpacketsys, p_block->i_buffer, p_block->i_buffer, + 0, p_block->i_buffer ); vlc_stream_Delete(p_demux->s); } block_Release(p_block); _______________________________________________ vlc-commits mailing list [email protected] https://mailman.videolan.org/listinfo/vlc-commits
