[vlc-commits] demux: asf: check data object range when reading
Francois Cartegnie
git at videolan.org
Wed Nov 4 10:48:35 CET 2020
vlc | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Wed Nov 4 10:10:47 2020 +0100| [a4ed34d704ec8721b7d74542324f39c9f2aff508] | committer: Francois Cartegnie
demux: asf: check data object range when reading
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=a4ed34d704ec8721b7d74542324f39c9f2aff508
---
modules/demux/asf/asf.c | 3 ++-
modules/demux/asf/asfpacket.c | 17 ++++++++++++++++-
modules/demux/asf/asfpacket.h | 2 +-
modules/demux/mp4/mp4.c | 3 ++-
4 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/modules/demux/asf/asf.c b/modules/demux/asf/asf.c
index 4828a77804..8446510fa6 100644
--- a/modules/demux/asf/asf.c
+++ b/modules/demux/asf/asf.c
@@ -221,7 +221,8 @@ static int Demux( demux_t *p_demux )
/* Read and demux a packet */
if( DemuxASFPacket( &p_sys->packet_sys,
p_sys->p_fp->i_min_data_packet_size,
- p_sys->p_fp->i_max_data_packet_size ) <= 0 )
+ p_sys->p_fp->i_max_data_packet_size,
+ p_sys->i_data_begin, p_sys->i_data_end ) <= 0 )
{
p_sys->b_eos = true;
/* Check if we have concatenated files */
diff --git a/modules/demux/asf/asfpacket.c b/modules/demux/asf/asfpacket.c
index 0b447352df..1a94dcf0b1 100644
--- a/modules/demux/asf/asfpacket.c
+++ b/modules/demux/asf/asfpacket.c
@@ -380,10 +380,17 @@ skip:
}
int DemuxASFPacket( asf_packet_sys_t *p_packetsys,
- uint32_t i_data_packet_min, uint32_t i_data_packet_max )
+ uint32_t i_data_packet_min, uint32_t i_data_packet_max,
+ uint64_t i_data_begin, uint64_t i_data_end )
{
demux_t *p_demux = p_packetsys->p_demux;
+ const uint64_t i_read_pos = vlc_stream_Tell( p_demux->s );
+ if( i_read_pos < i_data_begin ||
+ i_data_packet_min > i_data_end ||
+ i_read_pos > i_data_end - i_data_packet_min )
+ return 0;
+
const uint8_t *p_peek;
ssize_t i_return = vlc_stream_Peek( p_demux->s, &p_peek,i_data_packet_min );
if( i_return <= 0 || (size_t) i_return < i_data_packet_min )
@@ -452,6 +459,14 @@ int DemuxASFPacket( asf_packet_sys_t *p_packetsys,
pkt.send_time = VLC_TICK_FROM_MS(GetDWLE( p_peek + i_skip )); i_skip += 4;
/* uint16_t i_packet_duration = GetWLE( p_peek + i_skip ); */ i_skip += 2;
+ if( pkt.length > i_data_end ||
+ i_read_pos > i_data_end - pkt.length )
+ {
+ msg_Warn( p_demux, "pkt size %"PRIu32" at %"PRIu64" does not fit data chunk",
+ pkt.length, i_read_pos );
+ return 0;
+ }
+
i_return = vlc_stream_Peek( p_demux->s, &p_peek, pkt.length );
if( i_return <= 0 || pkt.length == 0 || (size_t)i_return < pkt.length )
{
diff --git a/modules/demux/asf/asfpacket.h b/modules/demux/asf/asfpacket.h
index 9a5af1aa66..ba11d7f56d 100644
--- a/modules/demux/asf/asfpacket.h
+++ b/modules/demux/asf/asfpacket.h
@@ -57,5 +57,5 @@ struct asf_packet_sys_s
void (*pf_setaspectratio)(asf_packet_sys_t *, uint8_t, uint8_t, uint8_t);
};
-int DemuxASFPacket( asf_packet_sys_t *, uint32_t, uint32_t );
+int DemuxASFPacket( asf_packet_sys_t *, uint32_t, uint32_t, uint64_t, uint64_t );
#endif
diff --git a/modules/demux/mp4/mp4.c b/modules/demux/mp4/mp4.c
index 875d8c4d38..152441750d 100644
--- a/modules/demux/mp4/mp4.c
+++ b/modules/demux/mp4/mp4.c
@@ -719,7 +719,8 @@ static void MP4_Block_Send( demux_t *p_demux, mp4_track_t *p_track, block_t *p_b
p_track->i_dts_backup = p_block->i_dts;
p_track->i_pts_backup = p_block->i_pts;
/* And demux it as ASF packet */
- DemuxASFPacket( &p_sys->asfpacketsys, p_block->i_buffer, p_block->i_buffer );
+ DemuxASFPacket( &p_sys->asfpacketsys, p_block->i_buffer, p_block->i_buffer,
+ 0, p_block->i_buffer );
vlc_stream_Delete(p_demux->s);
}
block_Release(p_block);
More information about the vlc-commits
mailing list