[vlc-devel] commit: Fix handling of dirac EOSdataunit. (David Flynn )

git version control git at videolan.org
Sun Jul 27 16:15:30 CEST 2008 

vlc | branch: master | David Flynn <davidf at woaf.net> | Sun Jul 27 00:08:02 2008 +0100| [379212dbee5545f94dbd76c3b3f171e9b5e1fd53]

Fix handling of dirac EOSdataunit.

 - Fixes infinite loop when next_parse_offset = 0
 - Fixes memory access to invalid data with malformed ogg input.

Signed-off-by: David Flynn <davidf at woaf.net>
Signed-off-by: Derk-Jan Hartman <hartman at videolan.org>

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=379212dbee5545f94dbd76c3b3f171e9b5e1fd53
---

 modules/codec/schroedinger.c |    4 ++++
 modules/demux/ogg.c          |   21 +++++++++++----------
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/modules/codec/schroedinger.c b/modules/codec/schroedinger.c
index 2c4a2c3..960e53a 100644
--- a/modules/codec/schroedinger.c
+++ b/modules/codec/schroedinger.c
@@ -435,6 +435,10 @@ static picture_t *DecodeBlock( decoder_t *p_dec, block_t **pp_block )
             size_t i_pulen = GetDWBE( p_block->p_buffer + i_bufused + 5 );
             uint8_t *p_pu = p_block->p_buffer + i_bufused;
 
+            if( 0 == i_pulen ) {
+                i_pulen = 13;
+            }
+
             /* blocks that do not start with the parse info prefix are invalid */
             if( p_pu[0] != 'B' || p_pu[1] != 'B' ||
                 p_pu[2] != 'C' || p_pu[3] != 'D')
diff --git a/modules/demux/ogg.c b/modules/demux/ogg.c
index dbd7345..e3440d5 100644
--- a/modules/demux/ogg.c
+++ b/modules/demux/ogg.c
@@ -1556,18 +1556,19 @@ static void Ogg_ReadAnnodexHeader( vlc_object_t *p_this,
 static uint32_t Ogg_ReadDiracPictureNumber( ogg_packet *p_oggpacket )
 {
     uint32_t u_pos = 4;
-    /* find the picture startcode */
-    while ( (p_oggpacket->packet[u_pos] & 0x08) == 0) {
+    /* protect against falling off the edge */
+    while ( u_pos + 13 < p_oggpacket->bytes ) {
+        /* find the picture startcode */
+        if ( p_oggpacket->packet[u_pos] & 0x08 ) {
+            return GetDWBE( p_oggpacket->packet + u_pos + 9 );
+        }
         /* skip to the next dirac parse unit */
-        u_pos += GetDWBE( p_oggpacket->packet + u_pos + 1 );
-        /* protect against falling off the edge */
-        if ( u_pos > p_oggpacket->bytes )
-             return -1;
+        uint32_t u_npo = GetDWBE( p_oggpacket->packet + u_pos + 1 );
+        if (u_npo == 0)
+            u_npo = 13;
+        u_pos += u_npo;
     }
-
-    uint32_t u_pnum = GetDWBE( p_oggpacket->packet + u_pos + 9 );
-
-    return u_pnum;
+    return -1;
 }
 
 static uint32_t dirac_uint( bs_t *p_bs )

More information about the vlc-devel mailing list