[libbluray-devel] mpls_parse: check for EOF
hpi1
git at videolan.org
Mon Jun 26 15:27:23 CEST 2017
libbluray | branch: master | hpi1 <hpi1 at anonymous.org> | Mon Jun 26 16:20:22 2017 +0300| [7155b3cd4d99c3da9896026b7c8f3ccb521cf95b] | committer: hpi1
mpls_parse: check for EOF
Fixes long delay with corrupt input.
> http://git.videolan.org/gitweb.cgi/libbluray.git/?a=commit;h=7155b3cd4d99c3da9896026b7c8f3ccb521cf95b
---
src/libbluray/bdnav/mpls_parse.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/src/libbluray/bdnav/mpls_parse.c b/src/libbluray/bdnav/mpls_parse.c
index 9b92253b..d922b491 100644
--- a/src/libbluray/bdnav/mpls_parse.c
+++ b/src/libbluray/bdnav/mpls_parse.c
@@ -418,6 +418,15 @@ _parse_playitem(BITSTREAM *bits, MPLS_PI *pi)
len = bs_read(bits, 16);
pos = bs_pos(bits) >> 3;
+ if (len < 18) {
+ BD_DEBUG(DBG_NAV | DBG_CRIT, "_parse_playitem: invalid length %d\n", len);
+ return 0;
+ }
+ if (bs_avail(bits)/8 < len) {
+ BD_DEBUG(DBG_NAV | DBG_CRIT, "_parse_playitem: unexpected EOF\n");
+ return 0;
+ }
+
// Primary Clip identifer
bs_read_string(bits, clip_id, 5);
@@ -512,6 +521,16 @@ _parse_subplayitem(BITSTREAM *bits, MPLS_SUB_PI *spi)
len = bs_read(bits, 16);
pos = bs_pos(bits) >> 3;
+ if (len < 24) {
+ BD_DEBUG(DBG_NAV | DBG_CRIT, "_parse_subplayitem: invalid length %d\n", len);
+ return 0;
+ }
+
+ if (bs_avail(bits)/8 < len) {
+ BD_DEBUG(DBG_NAV | DBG_CRIT, "_parse_subplayitem: unexpected EOF\n");
+ return 0;
+ }
+
// Primary Clip identifer
bs_read_string(bits, clip_id, 5);
@@ -652,6 +671,12 @@ _parse_playlistmark(BITSTREAM *bits, MPLS_PL *pl)
BD_DEBUG(DBG_CRIT, "out of memory\n");
return 0;
}
+
+ if (bs_avail(bits)/(8*14) < pl->mark_count) {
+ BD_DEBUG(DBG_NAV | DBG_CRIT, "_parse_playlistmark: unexpected EOF\n");
+ return 0;
+ }
+
for (ii = 0; ii < pl->mark_count; ii++) {
bs_skip(bits, 8); /* reserved */
plm[ii].mark_type = bs_read(bits, 8);
More information about the libbluray-devel
mailing list