[vlc-devel] [PATCH 2/2] [schroedinger] Fix handling of dirac EOSdataunit.

David Flynn davidf+nntp at woaf.net
Sun Jul 27 01:16:20 CEST 2008 

From: David Flynn <davidf at woaf.net>

 - Fixes infinite loop when next_parse_offset = 0
 - Fixes memory access to invalid data with malformed ogg input.

Signed-off-by: David Flynn <davidf at woaf.net>
---
 modules/codec/schroedinger.c |    4 ++++
 modules/demux/ogg.c          |   21 +++++++++++----------
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/modules/codec/schroedinger.c b/modules/codec/schroedinger.c
index 668f4dc..85a735e 100644
--- a/modules/codec/schroedinger.c
+++ b/modules/codec/schroedinger.c
@@ -431,6 +431,10 @@ static picture_t *DecodeBlock( decoder_t *p_dec, block_t **pp_block )
             size_t i_pulen = GetDWBE( p_block->p_buffer + i_bufused + 5 );
             uint8_t *p_pu = p_block->p_buffer + i_bufused;
 
+            if( 0 == i_pulen ) {
+                i_pulen = 13;
+            }
+
             /* blocks that do not start with the parse info prefix are invalid */
             if( p_pu[0] != 'B' || p_pu[1] != 'B' ||
                 p_pu[2] != 'C' || p_pu[3] != 'D')
diff --git a/modules/demux/ogg.c b/modules/demux/ogg.c
index dbd7345..e3440d5 100644
--- a/modules/demux/ogg.c
+++ b/modules/demux/ogg.c
@@ -1556,18 +1556,19 @@ static void Ogg_ReadAnnodexHeader( vlc_object_t *p_this,
 static uint32_t Ogg_ReadDiracPictureNumber( ogg_packet *p_oggpacket )
 {
     uint32_t u_pos = 4;
-    /* find the picture startcode */
-    while ( (p_oggpacket->packet[u_pos] & 0x08) == 0) {
+    /* protect against falling off the edge */
+    while ( u_pos + 13 < p_oggpacket->bytes ) {
+        /* find the picture startcode */
+        if ( p_oggpacket->packet[u_pos] & 0x08 ) {
+            return GetDWBE( p_oggpacket->packet + u_pos + 9 );
+        }
         /* skip to the next dirac parse unit */
-        u_pos += GetDWBE( p_oggpacket->packet + u_pos + 1 );
-        /* protect against falling off the edge */
-        if ( u_pos > p_oggpacket->bytes )
-             return -1;
+        uint32_t u_npo = GetDWBE( p_oggpacket->packet + u_pos + 1 );
+        if (u_npo == 0)
+            u_npo = 13;
+        u_pos += u_npo;
     }
-
-    uint32_t u_pnum = GetDWBE( p_oggpacket->packet + u_pos + 9 );
-
-    return u_pnum;
+    return -1;
 }
 
 static uint32_t dirac_uint( bs_t *p_bs )
-- 
1.5.4.3

More information about the vlc-devel mailing list