[vlc-commits] demux: asf: stay within track limits

Francois Cartegnie git at videolan.org
Mon Oct 6 17:28:28 CEST 2014 

vlc/vlc-2.2 | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Sun Oct  5 16:22:18 2014 +0200| [9ccb8651baeca05c501193b1b371fbdef9a208ac] | committer: Jean-Baptiste Kempf

demux: asf: stay within track limits

(cherry picked from commit a61da5b40d25af4fd0417eb3a9a172a92e62c659)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.2.git/?a=commit;h=9ccb8651baeca05c501193b1b371fbdef9a208ac
---

 modules/demux/asf/asf.c    |    4 +++-
 modules/demux/asf/libasf.c |   24 +++++++++++++++++++++---
 modules/demux/asf/libasf.h |    4 +++-
 3 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/modules/demux/asf/asf.c b/modules/demux/asf/asf.c
index 21d59a0..7e14232 100644
--- a/modules/demux/asf/asf.c
+++ b/modules/demux/asf/asf.c
@@ -72,7 +72,7 @@ static int Demux  ( demux_t * );
 static int Control( demux_t *, int i_query, va_list args );
 static void FlushRemainingPackets( demux_t *p_demux );
 
-#define MAX_ASF_TRACKS 128
+#define MAX_ASF_TRACKS (ASF_MAX_STREAMNUMBER + 1)
 #define ASF_PREROLL_FROM_CURRENT -1
 
 typedef struct
@@ -745,6 +745,8 @@ static int DemuxPayload(demux_t *p_demux, struct asf_packet_t *pkt, int i_payloa
 
     bool b_packet_keyframe = pkt->p_peek[pkt->i_skip] >> 7;
     uint8_t i_stream_number = pkt->p_peek[pkt->i_skip++] & 0x7f;
+    if ( i_stream_number >= MAX_ASF_TRACKS )
+        goto skip;
 
     uint32_t i_media_object_number = 0;
     if (GetValue2b(&i_media_object_number, pkt->p_peek, &pkt->i_skip, pkt->left - pkt->i_skip, pkt->property >> 4) < 0)
diff --git a/modules/demux/asf/libasf.c b/modules/demux/asf/libasf.c
index e0ff405..7171549 100644
--- a/modules/demux/asf/libasf.c
+++ b/modules/demux/asf/libasf.c
@@ -543,7 +543,9 @@ static int ASF_ReadObject_stream_properties( stream_t *s, asf_object_t *p_obj )
     p_sp->i_type_specific_data_length = GetDWLE( p_peek + 64 );
     p_sp->i_error_correction_data_length = GetDWLE( p_peek + 68 );
     p_sp->i_flags = GetWLE( p_peek + 72 );
-        p_sp->i_stream_number = p_sp->i_flags&0x07f;
+    p_sp->i_stream_number = p_sp->i_flags&0x07f;
+    if ( p_sp->i_stream_number > ASF_MAX_STREAMNUMBER )
+        return VLC_EGENERIC;
     p_sp->i_reserved = GetDWLE( p_peek + 74 );
     i_peek -= 78;
 
@@ -828,13 +830,15 @@ static int ASF_ReadObject_stream_bitrate_properties( stream_t *s,
     p_data = &p_peek[24];
 
     p_sb->i_bitrate = ASF_READ2();
-    if( p_sb->i_bitrate > 127 )
-        p_sb->i_bitrate = 127;  /* Buggy ? */
+    if( p_sb->i_bitrate > ASF_MAX_STREAMNUMBER )
+        p_sb->i_bitrate = ASF_MAX_STREAMNUMBER;  /* Buggy ? */
     for( i = 0; i < p_sb->i_bitrate; i++ )
     {
         if( !ASF_HAVE(2 + 4) )
             break;
         p_sb->bitrate[i].i_stream_number = (uint8_t) ASF_READ2()& 0x7f;
+        if ( p_sb->bitrate[i].i_stream_number > ASF_MAX_STREAMNUMBER )
+            return VLC_EGENERIC;
         p_sb->bitrate[i].i_avg_bitrate = ASF_READ4();
     }
     p_sb->i_bitrate = i;
@@ -879,6 +883,8 @@ static int ASF_ReadObject_extended_stream_properties( stream_t *s,
     p_esp->i_maximum_object_size = GetDWLE( &p_data[40] );
     p_esp->i_flags = GetDWLE( &p_data[44] );
     p_esp->i_stream_number = GetWLE( &p_data[48] );
+    if ( p_esp->i_stream_number > ASF_MAX_STREAMNUMBER )
+        return VLC_EGENERIC;
     p_esp->i_language_index = GetWLE( &p_data[50] );
     p_esp->i_average_time_per_frame= GetQWLE( &p_data[52] );
     p_esp->i_stream_name_count = GetWLE( &p_data[60] );
@@ -1021,12 +1027,19 @@ static int ASF_ReadObject_advanced_mutual_exclusion( stream_t *s,
 
     p_ae->i_stream_number_count = ASF_READ2();
     p_ae->pi_stream_number = calloc( p_ae->i_stream_number_count, sizeof(uint16_t) );
+    if ( !p_ae->pi_stream_number )
+        return VLC_ENOMEM;
 
     for( i = 0; i < p_ae->i_stream_number_count; i++ )
     {
         if( !ASF_HAVE(2) )
             break;
         p_ae->pi_stream_number[i] = ASF_READ2();
+        if ( p_ae->pi_stream_number[i] > ASF_MAX_STREAMNUMBER )
+        {
+            free( p_ae->pi_stream_number );
+            return VLC_EGENERIC;
+        }
     }
     p_ae->i_stream_number_count = i;
 
@@ -1133,6 +1146,11 @@ static int ASF_ReadObject_bitrate_mutual_exclusion( stream_t *s, asf_object_t *p
         if( !ASF_HAVE(2) )
             break;
         p_ex->pi_stream_numbers[i] = ASF_READ2();
+        if ( p_ex->pi_stream_numbers[i] > ASF_MAX_STREAMNUMBER )
+        {
+            free( p_ex->pi_stream_numbers );
+            return VLC_EGENERIC;
+        }
     }
 
 #ifdef ASF_DEBUG
diff --git a/modules/demux/asf/libasf.h b/modules/demux/asf/libasf.h
index ee2c20d..e8b792d 100644
--- a/modules/demux/asf/libasf.h
+++ b/modules/demux/asf/libasf.h
@@ -21,6 +21,8 @@
  *****************************************************************************/
 
 
+#define ASF_MAX_STREAMNUMBER 127
+
 /*****************************************************************************
  * Structure needed for decoder
  *****************************************************************************/
@@ -244,7 +246,7 @@ typedef struct
     {
         uint8_t  i_stream_number;
         uint32_t i_avg_bitrate;
-    } bitrate[128];
+    } bitrate[ASF_MAX_STREAMNUMBER + 1];
 } asf_object_stream_bitrate_properties_t;

More information about the vlc-commits mailing list