matroskadec: validate lace_size when parsed

author Luca Barbato <lu_zero@gentoo.org>

Fri, 14 Sep 2012 19:24:23 +0000 (21:24 +0200)

committer Luca Barbato <lu_zero@gentoo.org>

Wed, 19 Sep 2012 18:34:14 +0000 (20:34 +0200)
author Luca Barbato <lu_zero@gentoo.org>
Fri, 14 Sep 2012 19:24:23 +0000 (21:24 +0200)
committer Luca Barbato <lu_zero@gentoo.org>
Wed, 19 Sep 2012 18:34:14 +0000 (20:34 +0200)
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c

index 27c962e..ff2a6c2 100644 (file)
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1829,11 +1829,19 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
                          }
                          total += lace_size[n];
                      }
+                    if (size <= total) {
+                        res = AVERROR_INVALIDDATA;
+                        goto end;
+                    }
                      lace_size[n] = size - total;
                      break;
                  }
  
                  case 0x2: /* fixed-size lacing */
+                    if (size != (size / laces) * size) {
+                        res = AVERROR_INVALIDDATA;
+                        goto end;
+                    }
                      for (n = 0; n < laces; n++)
                          lace_size[n] = size / laces;
                      break;
@@ -1844,7 +1852,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
                      if (n < 0) {
                          av_log(matroska->ctx, AV_LOG_INFO,
                                 "EBML block data error\n");
-                        break;
+                        res = n;
+                        goto end;
                      }
                      data += n;
                      size -= n;
@@ -1856,13 +1865,18 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
                          if (r < 0) {
                              av_log(matroska->ctx, AV_LOG_INFO,
                                     "EBML block data error\n");
-                            break;
+                            res = r;
+                            goto end;
                          }
                          data += r;
                          size -= r;
                          lace_size[n] = lace_size[n - 1] + snum;
                          total += lace_size[n];
                      }
+                    if (size <= total) {
+                        res = AVERROR_INVALIDDATA;
+                        goto end;
+                    }
                      lace_size[laces - 1] = size - total;
                      break;
                  }
@@ -1940,11 +1954,6 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
                  uint32_t pkt_size = lace_size[n];
                  uint8_t *pkt_data = data;
  
-                if (pkt_size > size) {
-                    av_log(matroska->ctx, AV_LOG_ERROR, "Invalid packet size\n");
-                    break;
-                }
-
                  if (encodings && encodings->scope & 1) {
                      res = matroska_decode_buffer(&pkt_data, &pkt_size, track);
                      if (res < 0)
author	Luca Barbato <lu_zero@gentoo.org>
	Fri, 14 Sep 2012 19:24:23 +0000 (21:24 +0200)
committer	Luca Barbato <lu_zero@gentoo.org>
	Wed, 19 Sep 2012 18:34:14 +0000 (20:34 +0200)