Do not read data past the end of the SSND chunk in the AIFF demuxer.

Fixes Issue 1455.

Originally committed as revision 20219 to svn://svn.ffmpeg.org/ffmpeg/trunk

diff --git a/libavformat/aiff.c b/libavformat/aiff.c
index 570e05d..b9ee595 100644 (file)
--- a/libavformat/aiff.c
+++ b/libavformat/aiff.c
@@ -46,6 +46,10 @@ static const AVCodecTag codec_aiff_tags[] = {
 #define AIFF                    0
 #define AIFF_C_VERSION1         0xA2805140
 
+typedef struct {
+    int64_t data_end;
+} AIFFInputContext;
+
 static enum CodecID aiff_codec_get_id(int bps)
 {
     if (bps <= 8)
@@ -314,6 +318,7 @@ static int aiff_read_header(AVFormatContext *s,
     unsigned version = AIFF_C_VERSION1;
     ByteIOContext *pb = s->pb;
     AVStream * st;
+    AIFFInputContext *aiff = s->priv_data;
 
     /* check FORM header */
     filesize = get_tag(pb, &tag);
@@ -366,6 +371,7 @@ static int aiff_read_header(AVFormatContext *s,
             get_meta(s, "comment"  , size);
             break;
         case MKTAG('S', 'S', 'N', 'D'):     /* Sampled sound chunk */
+            aiff->data_end = url_ftell(pb) + size;
             offset = get_be32(pb);      /* Offset of sound data */
             get_be32(pb);               /* BlockSize... don't care */
             offset += url_ftell(pb);    /* Compute absolute data offset */
@@ -420,10 +426,18 @@ static int aiff_read_packet(AVFormatContext *s,
                             AVPacket *pkt)
 {
     AVStream *st = s->streams[0];
+    AIFFInputContext *aiff = s->priv_data;
+    int64_t max_size;
     int res;
 
+    /* calculate size of remaining data */
+    max_size = aiff->data_end - url_ftell(s->pb);
+    if (max_size <= 0)
+        return AVERROR_EOF;
+
     /* Now for that packet */
-    res = av_get_packet(s->pb, pkt, (MAX_SIZE / st->codec->block_align) * st->codec->block_align);
+    max_size = FFMIN(max_size, (MAX_SIZE / st->codec->block_align) * st->codec->block_align);
+    res = av_get_packet(s->pb, pkt, max_size);
     if (res < 0)
         return res;
 
@@ -436,7 +450,7 @@ static int aiff_read_packet(AVFormatContext *s,
 AVInputFormat aiff_demuxer = {
     "aiff",
     NULL_IF_CONFIG_SMALL("Audio IFF"),
-    0,
+    sizeof(AIFFInputContext),
     aiff_probe,
     aiff_read_header,
     aiff_read_packet,