[vlc-commits] demux: asf: enforce root object boundary (fix #9441)
Francois Cartegnie
git at videolan.org
Tue Nov 26 08:46:17 CET 2013
vlc/vlc-2.1 | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Mon Nov 25 18:13:09 2013 +0100| [366019d8cca6749af98467c0fc3c9610df624f8c] | committer: Jean-Baptiste Kempf
demux: asf: enforce root object boundary (fix #9441)
Seems some encoder reuses previous memory area for junk sections.
(cherry picked from commit 2ca8c9db8064dcb8b9c683ec9b160464f6f3580e)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.1.git/?a=commit;h=366019d8cca6749af98467c0fc3c9610df624f8c
---
modules/demux/asf/libasf.c | 28 +++++++++++++++++++++++-----
1 file changed, 23 insertions(+), 5 deletions(-)
diff --git a/modules/demux/asf/libasf.c b/modules/demux/asf/libasf.c
index bbcfc5d..dcc9b73 100644
--- a/modules/demux/asf/libasf.c
+++ b/modules/demux/asf/libasf.c
@@ -141,9 +141,16 @@ static int ASF_ReadObjectCommon( stream_t *s, asf_object_t *p_obj )
return VLC_SUCCESS;
}
-static int ASF_NextObject( stream_t *s, asf_object_t *p_obj )
+static int ASF_NextObject( stream_t *s, asf_object_t *p_obj, uint64_t i_boundary )
{
asf_object_t obj;
+
+ int64_t i_pos = stream_Tell( s );
+ if ( i_boundary && i_pos >= 0 && (uint64_t) i_pos >= i_boundary )
+ {
+ return VLC_EGENERIC;
+ }
+
if( p_obj == NULL )
{
if( ASF_ReadObjectCommon( s, &obj ) )
@@ -213,7 +220,7 @@ static int ASF_ReadObject_Header( stream_t *s, asf_object_t *p_obj )
free( p_subobj );
break;
}
- if( ASF_NextObject( s, p_subobj ) ) /* Go to the next object */
+ if( ASF_NextObject( s, p_subobj, 0 ) ) /* Go to the next object */
break;
}
return VLC_SUCCESS;
@@ -505,7 +512,7 @@ static int ASF_ReadObject_header_extension( stream_t *s, asf_object_t *p_obj )
break;
}
- if( ASF_NextObject( s, p_obj ) ) /* Go to the next object */
+ if( ASF_NextObject( s, p_obj, 0 ) ) /* Go to the next object */
{
break;
}
@@ -1544,6 +1551,7 @@ asf_object_root_t *ASF_ReadObjectRoot( stream_t *s, int b_seekable )
{
asf_object_root_t *p_root = malloc( sizeof( asf_object_root_t ) );
asf_object_t *p_obj;
+ uint64_t i_boundary = 0;
if( !p_root )
return NULL;
@@ -1573,12 +1581,15 @@ asf_object_root_t *ASF_ReadObjectRoot( stream_t *s, int b_seekable )
switch( p_obj->common.i_type )
{
case( ASF_OBJECT_HEADER ):
+ if ( p_root->p_index || p_root->p_data || p_root->p_hdr ) break;
p_root->p_hdr = (asf_object_header_t*)p_obj;
break;
case( ASF_OBJECT_DATA ):
+ if ( p_root->p_index || p_root->p_data ) break;
p_root->p_data = (asf_object_data_t*)p_obj;
- break;
+ break;
case( ASF_OBJECT_INDEX ):
+ if ( p_root->p_index ) break;
p_root->p_index = (asf_object_index_t*)p_obj;
break;
default:
@@ -1586,6 +1597,13 @@ asf_object_root_t *ASF_ReadObjectRoot( stream_t *s, int b_seekable )
GUID_PRINT( p_obj->common.i_object_id ) );
break;
}
+
+ /* Set a limit to avoid junk when possible */
+ if ( !guidcmp( &p_obj->common.i_object_id, &asf_object_file_properties_guid ) )
+ {
+ i_boundary = p_obj->file_properties.i_file_size;
+ }
+
if( p_obj->common.i_type == ASF_OBJECT_DATA &&
p_obj->common.i_object_size <= 50 )
{
@@ -1598,7 +1616,7 @@ asf_object_root_t *ASF_ReadObjectRoot( stream_t *s, int b_seekable )
break;
}
- if( ASF_NextObject( s, p_obj ) ) /* Go to the next object */
+ if( ASF_NextObject( s, p_obj, i_boundary ) ) /* Go to the next object */
break;
}
More information about the vlc-commits
mailing list