[vlc-commits] demux: asf: enforce root object boundary (fix #9441)

Francois Cartegnie git at videolan.org
Mon Nov 25 18:18:18 CET 2013


vlc | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Mon Nov 25 18:13:09 2013 +0100| [2ca8c9db8064dcb8b9c683ec9b160464f6f3580e] | committer: Francois Cartegnie

demux: asf: enforce root object boundary (fix #9441)

Seems some encoder reuses previous memory area for junk sections.

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=2ca8c9db8064dcb8b9c683ec9b160464f6f3580e
---

 modules/demux/asf/libasf.c |   28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/modules/demux/asf/libasf.c b/modules/demux/asf/libasf.c
index 8232656..08e56a7 100644
--- a/modules/demux/asf/libasf.c
+++ b/modules/demux/asf/libasf.c
@@ -141,9 +141,16 @@ static int ASF_ReadObjectCommon( stream_t *s, asf_object_t *p_obj )
     return VLC_SUCCESS;
 }
 
-static int ASF_NextObject( stream_t *s, asf_object_t *p_obj )
+static int ASF_NextObject( stream_t *s, asf_object_t *p_obj, uint64_t i_boundary )
 {
     asf_object_t obj;
+
+    int64_t i_pos = stream_Tell( s );
+    if ( i_boundary && i_pos >= 0 && (uint64_t) i_pos >= i_boundary )
+    {
+        return VLC_EGENERIC;
+    }
+
     if( p_obj == NULL )
     {
         if( ASF_ReadObjectCommon( s, &obj ) )
@@ -213,7 +220,7 @@ static int  ASF_ReadObject_Header( stream_t *s, asf_object_t *p_obj )
             free( p_subobj );
             break;
         }
-        if( ASF_NextObject( s, p_subobj ) ) /* Go to the next object */
+        if( ASF_NextObject( s, p_subobj, 0 ) ) /* Go to the next object */
             break;
     }
     return VLC_SUCCESS;
@@ -505,7 +512,7 @@ static int ASF_ReadObject_header_extension( stream_t *s, asf_object_t *p_obj )
             break;
         }
 
-        if( ASF_NextObject( s, p_obj ) ) /* Go to the next object */
+        if( ASF_NextObject( s, p_obj, 0 ) ) /* Go to the next object */
         {
             break;
         }
@@ -1603,6 +1610,7 @@ asf_object_root_t *ASF_ReadObjectRoot( stream_t *s, int b_seekable )
 {
     asf_object_root_t *p_root = malloc( sizeof( asf_object_root_t ) );
     asf_object_t *p_obj;
+    uint64_t i_boundary = 0;
 
     if( !p_root )
         return NULL;
@@ -1632,12 +1640,15 @@ asf_object_root_t *ASF_ReadObjectRoot( stream_t *s, int b_seekable )
         switch( p_obj->common.i_type )
         {
             case( ASF_OBJECT_HEADER ):
+                if ( p_root->p_index || p_root->p_data || p_root->p_hdr ) break;
                 p_root->p_hdr = (asf_object_header_t*)p_obj;
                 break;
             case( ASF_OBJECT_DATA ):
+                if ( p_root->p_index || p_root->p_data ) break;
                 p_root->p_data = (asf_object_data_t*)p_obj;
-                break;
+            break;
             case( ASF_OBJECT_INDEX ):
+                if ( p_root->p_index ) break;
                 p_root->p_index = (asf_object_index_t*)p_obj;
                 break;
             default:
@@ -1645,6 +1656,13 @@ asf_object_root_t *ASF_ReadObjectRoot( stream_t *s, int b_seekable )
                       GUID_PRINT( p_obj->common.i_object_id ) );
                 break;
         }
+
+        /* Set a limit to avoid junk when possible */
+        if ( !guidcmp( &p_obj->common.i_object_id, &asf_object_file_properties_guid ) )
+        {
+            i_boundary = p_obj->file_properties.i_file_size;
+        }
+
         if( p_obj->common.i_type == ASF_OBJECT_DATA &&
             p_obj->common.i_object_size <= 50 )
         {
@@ -1657,7 +1675,7 @@ asf_object_root_t *ASF_ReadObjectRoot( stream_t *s, int b_seekable )
             break;
         }
 
-        if( ASF_NextObject( s, p_obj ) ) /* Go to the next object */
+        if( ASF_NextObject( s, p_obj, i_boundary ) ) /* Go to the next object */
             break;
     }
 



More information about the vlc-commits mailing list