[vlc-commits] demux: asf: check data object range when reading
Francois Cartegnie
git at videolan.org
Wed Nov 4 17:48:46 CET 2020
vlc/vlc-3.0 | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Wed Nov 4 10:10:47 2020 +0100| [41e69627fecfe6242507aee95120d2e4fd640a7d] | committer: Francois Cartegnie
demux: asf: check data object range when reading
(cherry picked from commit a4ed34d704ec8721b7d74542324f39c9f2aff508)
> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=41e69627fecfe6242507aee95120d2e4fd640a7d
---
modules/demux/asf/asf.c | 3 ++-
modules/demux/asf/asfpacket.c | 17 ++++++++++++++++-
modules/demux/asf/asfpacket.h | 2 +-
modules/demux/mp4/mp4.c | 3 ++-
4 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/modules/demux/asf/asf.c b/modules/demux/asf/asf.c
index a05ebe825b..bc132fe0ad 100644
--- a/modules/demux/asf/asf.c
+++ b/modules/demux/asf/asf.c
@@ -219,7 +219,8 @@ static int Demux( demux_t *p_demux )
/* Read and demux a packet */
if( DemuxASFPacket( &p_sys->packet_sys,
p_sys->p_fp->i_min_data_packet_size,
- p_sys->p_fp->i_max_data_packet_size ) <= 0 )
+ p_sys->p_fp->i_max_data_packet_size,
+ p_sys->i_data_begin, p_sys->i_data_end ) <= 0 )
{
p_sys->b_eos = true;
/* Check if we have concatenated files */
diff --git a/modules/demux/asf/asfpacket.c b/modules/demux/asf/asfpacket.c
index cd1ae0341c..bf3a51f709 100644
--- a/modules/demux/asf/asfpacket.c
+++ b/modules/demux/asf/asfpacket.c
@@ -398,10 +398,17 @@ skip:
}
int DemuxASFPacket( asf_packet_sys_t *p_packetsys,
- uint32_t i_data_packet_min, uint32_t i_data_packet_max )
+ uint32_t i_data_packet_min, uint32_t i_data_packet_max,
+ uint64_t i_data_begin, uint64_t i_data_end )
{
demux_t *p_demux = p_packetsys->p_demux;
+ const uint64_t i_read_pos = vlc_stream_Tell( p_demux->s );
+ if( i_read_pos < i_data_begin ||
+ i_data_packet_min > i_data_end ||
+ i_read_pos > i_data_end - i_data_packet_min )
+ return 0;
+
const uint8_t *p_peek;
ssize_t i_return = vlc_stream_Peek( p_demux->s, &p_peek,i_data_packet_min );
if( i_return <= 0 || (size_t) i_return < i_data_packet_min )
@@ -470,6 +477,14 @@ int DemuxASFPacket( asf_packet_sys_t *p_packetsys,
pkt.send_time = GetDWLE( p_peek + i_skip ); i_skip += 4;
/* uint16_t i_packet_duration = GetWLE( p_peek + i_skip ); */ i_skip += 2;
+ if( pkt.length > i_data_end ||
+ i_read_pos > i_data_end - pkt.length )
+ {
+ msg_Warn( p_demux, "pkt size %"PRIu32" at %"PRIu64" does not fit data chunk",
+ pkt.length, i_read_pos );
+ return 0;
+ }
+
i_return = vlc_stream_Peek( p_demux->s, &p_peek, pkt.length );
if( i_return <= 0 || pkt.length == 0 || (size_t)i_return < pkt.length )
{
diff --git a/modules/demux/asf/asfpacket.h b/modules/demux/asf/asfpacket.h
index 768ca22f0c..8d55155d40 100644
--- a/modules/demux/asf/asfpacket.h
+++ b/modules/demux/asf/asfpacket.h
@@ -57,5 +57,5 @@ struct asf_packet_sys_s
void (*pf_setaspectratio)(asf_packet_sys_t *, uint8_t, uint8_t, uint8_t);
};
-int DemuxASFPacket( asf_packet_sys_t *, uint32_t, uint32_t );
+int DemuxASFPacket( asf_packet_sys_t *, uint32_t, uint32_t, uint64_t, uint64_t );
#endif
diff --git a/modules/demux/mp4/mp4.c b/modules/demux/mp4/mp4.c
index b07d005f47..631cff43b7 100644
--- a/modules/demux/mp4/mp4.c
+++ b/modules/demux/mp4/mp4.c
@@ -612,7 +612,8 @@ static void MP4_Block_Send( demux_t *p_demux, mp4_track_t *p_track, block_t *p_b
p_track->i_dts_backup = p_block->i_dts;
p_track->i_pts_backup = p_block->i_pts;
/* And demux it as ASF packet */
- DemuxASFPacket( &p_demux->p_sys->asfpacketsys, p_block->i_buffer, p_block->i_buffer );
+ DemuxASFPacket( &p_demux->p_sys->asfpacketsys, p_block->i_buffer, p_block->i_buffer,
+ 0, p_block->i_buffer );
vlc_stream_Delete(p_demux->s);
}
block_Release(p_block);
More information about the vlc-commits
mailing list