vlc/vlc-3.0 | branch: master | Francois Cartegnie <[email protected]> | Wed Nov 4 10:10:47 2020 +0100| [41e69627fecfe6242507aee95120d2e4fd640a7d] | committer: Francois Cartegnie
demux: asf: check data object range when reading (cherry picked from commit a4ed34d704ec8721b7d74542324f39c9f2aff508) > http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=41e69627fecfe6242507aee95120d2e4fd640a7d --- modules/demux/asf/asf.c | 3 ++- modules/demux/asf/asfpacket.c | 17 ++++++++++++++++- modules/demux/asf/asfpacket.h | 2 +- modules/demux/mp4/mp4.c | 3 ++- 4 files changed, 21 insertions(+), 4 deletions(-) diff --git a/modules/demux/asf/asf.c b/modules/demux/asf/asf.c index a05ebe825b..bc132fe0ad 100644 --- a/modules/demux/asf/asf.c +++ b/modules/demux/asf/asf.c @@ -219,7 +219,8 @@ static int Demux( demux_t *p_demux ) /* Read and demux a packet */ if( DemuxASFPacket( &p_sys->packet_sys, p_sys->p_fp->i_min_data_packet_size, - p_sys->p_fp->i_max_data_packet_size ) <= 0 ) + p_sys->p_fp->i_max_data_packet_size, + p_sys->i_data_begin, p_sys->i_data_end ) <= 0 ) { p_sys->b_eos = true; /* Check if we have concatenated files */ diff --git a/modules/demux/asf/asfpacket.c b/modules/demux/asf/asfpacket.c index cd1ae0341c..bf3a51f709 100644 --- a/modules/demux/asf/asfpacket.c +++ b/modules/demux/asf/asfpacket.c @@ -398,10 +398,17 @@ skip: } int DemuxASFPacket( asf_packet_sys_t *p_packetsys, - uint32_t i_data_packet_min, uint32_t i_data_packet_max ) + uint32_t i_data_packet_min, uint32_t i_data_packet_max, + uint64_t i_data_begin, uint64_t i_data_end ) { demux_t *p_demux = p_packetsys->p_demux; + const uint64_t i_read_pos = vlc_stream_Tell( p_demux->s ); + if( i_read_pos < i_data_begin || + i_data_packet_min > i_data_end || + i_read_pos > i_data_end - i_data_packet_min ) + return 0; + const uint8_t *p_peek; ssize_t i_return = vlc_stream_Peek( p_demux->s, &p_peek,i_data_packet_min ); if( i_return <= 0 || (size_t) i_return < i_data_packet_min ) @@ -470,6 +477,14 @@ int DemuxASFPacket( asf_packet_sys_t *p_packetsys, pkt.send_time = GetDWLE( p_peek + i_skip ); i_skip += 4; /* uint16_t i_packet_duration = GetWLE( p_peek + i_skip ); */ i_skip += 2; + if( pkt.length > i_data_end || + i_read_pos > i_data_end - pkt.length ) + { + msg_Warn( p_demux, "pkt size %"PRIu32" at %"PRIu64" does not fit data chunk", + pkt.length, i_read_pos ); + return 0; + } + i_return = vlc_stream_Peek( p_demux->s, &p_peek, pkt.length ); if( i_return <= 0 || pkt.length == 0 || (size_t)i_return < pkt.length ) { diff --git a/modules/demux/asf/asfpacket.h b/modules/demux/asf/asfpacket.h index 768ca22f0c..8d55155d40 100644 --- a/modules/demux/asf/asfpacket.h +++ b/modules/demux/asf/asfpacket.h @@ -57,5 +57,5 @@ struct asf_packet_sys_s void (*pf_setaspectratio)(asf_packet_sys_t *, uint8_t, uint8_t, uint8_t); }; -int DemuxASFPacket( asf_packet_sys_t *, uint32_t, uint32_t ); +int DemuxASFPacket( asf_packet_sys_t *, uint32_t, uint32_t, uint64_t, uint64_t ); #endif diff --git a/modules/demux/mp4/mp4.c b/modules/demux/mp4/mp4.c index b07d005f47..631cff43b7 100644 --- a/modules/demux/mp4/mp4.c +++ b/modules/demux/mp4/mp4.c @@ -612,7 +612,8 @@ static void MP4_Block_Send( demux_t *p_demux, mp4_track_t *p_track, block_t *p_b p_track->i_dts_backup = p_block->i_dts; p_track->i_pts_backup = p_block->i_pts; /* And demux it as ASF packet */ - DemuxASFPacket( &p_demux->p_sys->asfpacketsys, p_block->i_buffer, p_block->i_buffer ); + DemuxASFPacket( &p_demux->p_sys->asfpacketsys, p_block->i_buffer, p_block->i_buffer, + 0, p_block->i_buffer ); vlc_stream_Delete(p_demux->s); } block_Release(p_block); _______________________________________________ vlc-commits mailing list [email protected] https://mailman.videolan.org/listinfo/vlc-commits
