SMF: avoid a DOS if the SMF header is invalid

[vlc] / modules / demux / smf.c

diff --git a/modules/demux/smf.c b/modules/demux/smf.c
index 2f8e93aaf9c7f3952a1ce7d0ebce68584d6a0858..0c3820c088f729abe82e6214aa0b500c142c0269 100644 (file)
--- a/modules/demux/smf.c
+++ b/modules/demux/smf.c
@@ -26,8 +26,6 @@
 #include <vlc_common.h>
 #include <vlc_plugin.h>
 #include <vlc_demux.h>
-#include <vlc_aout.h>
-#include <vlc_codecs.h>
 #include <vlc_charset.h>
 #include <limits.h>
 
@@ -187,7 +185,7 @@ static int Open (vlc_object_t * p_this)
 
     /* Default SMF tempo is 120BPM, i.e. half a second per quarter note */
     date_Init (&p_sys->pts, ppqn * 2, 1);
-    date_Set (&p_sys->pts, 1);
+    date_Set (&p_sys->pts, 0);
     p_sys->pulse        = 0;
     p_sys->ppqn         = ppqn;
 
@@ -211,7 +209,13 @@ static int Open (vlc_object_t * p_this)
 
         for (;;)
         {
-            stream_Read (stream, head, 8);
+            if (stream_Read (stream, head, 8) < 8)
+            {
+                /* FIXME: don't give up if we have at least one valid track */
+                msg_Err (p_this, "incomplete SMF chunk, file is corrupted");
+                goto error;
+            }
+
             if (memcmp (head, "MTrk", 4) == 0)
                 break;
 
@@ -232,8 +236,6 @@ static int Open (vlc_object_t * p_this)
     es_format_t  fmt;
     es_format_Init (&fmt, AUDIO_ES, VLC_CODEC_MIDI);
     fmt.audio.i_channels = 2;
-    fmt.audio.i_original_channels = fmt.audio.i_physical_channels =
-        AOUT_CHAN_LEFT | AOUT_CHAN_RIGHT;
     fmt.audio.i_rate = 44100; /* dummy value */
     p_sys->es = es_out_Add (p_demux->out, &fmt);
 
@@ -449,7 +451,7 @@ int HandleMeta (demux_t *p_demux, mtrk_t *tr)
     }
 
     free (payload);
-    return 0;
+    return ret;
 }
 
 
@@ -473,19 +475,22 @@ int HandleMessage (demux_t *p_demux, mtrk_t *tr)
         case 0xF0: /* System Exclusive */
             switch (event)
             {
-                case 0xF0: /* System Specific */
+                case 0xF0: /* System Specific start */
+                case 0xF7: /* System Specific continuation */
                 {
-                    /* TODO: don't skip these */
-                    stream_Read (s, NULL, 1); /* Manuf ID */
-                    for (;;)
-                    {
-                        uint8_t c;
-                        if (stream_Read (s, &c, 1) != 1)
-                            return -1;
-                        if (c == 0xF7)
-                            goto skip;
-                    }
-                    /* never reached */
+                    /* Variable length followed by SysEx event data */
+                    int32_t len = ReadVarInt (s);
+                    if (len == -1)
+                        return -1;
+
+                    block = stream_Block (s, len);
+                    if (block == NULL)
+                        return -1;
+                    block = block_Realloc (block, 1, len);
+                    if (block == NULL)
+                        return -1;
+                    block->p_buffer[0] = event;
+                    goto send;
                 }
                 case 0xFF: /* SMF Meta Event */
                     if (HandleMeta (p_demux, tr))
@@ -505,13 +510,11 @@ int HandleMessage (demux_t *p_demux, mtrk_t *tr)
                     /* We cannot handle undefined "common" (non-real-time)
                      * events inside SMF, as we cannot differentiate a
                      * one byte delta-time (< 0x80) from event data. */
-                case 0xF7: /* End of sysex -> should never happen(?) */
-                    msg_Err (p_demux, "unknown MIDI event 0x%02X", event);
-                    return -1; /* undefined events */
                 default:
                     datalen = 0;
                     break;
             }
+            break;
         case 0xC0:
         case 0xD0:
             datalen = 1;
@@ -544,7 +547,8 @@ int HandleMessage (demux_t *p_demux, mtrk_t *tr)
             stream_Read (s, block->p_buffer + 2, datalen - 1);
     }
 
-    block->i_dts = block->i_pts = date_Get (&p_demux->p_sys->pts);
+send:
+    block->i_dts = block->i_pts = VLC_TS_0 + date_Get (&p_demux->p_sys->pts);
     es_out_Send (p_demux->out, p_demux->p_sys->es, block);
 
 skip:
@@ -557,7 +561,7 @@ skip:
 }
 
 /*****************************************************************************
- * Demux: read chunks and send them to the synthetizer
+ * Demux: read chunks and send them to the synthesizer
  *****************************************************************************
  * Returns -1 in case of error, 0 in case of EOF, 1 otherwise
  *****************************************************************************/
@@ -570,7 +574,7 @@ static int Demux (demux_t *p_demux)
     if (pulse == UINT64_MAX)
         return 0; /* all tracks are done */
 
-    es_out_Control (p_demux->out, ES_OUT_SET_PCR, date_Get (&p_sys->pts));
+    es_out_Control (p_demux->out, ES_OUT_SET_PCR, VLC_TS_0 + date_Get (&p_sys->pts));
 
     for (unsigned i = 0; i < p_sys->trackc; i++)
     {
@@ -604,7 +608,7 @@ static int Demux (demux_t *p_demux)
             break;
 
         tick->p_buffer[0] = 0xF9;
-        tick->i_dts = tick->i_pts = cur_tick++ * 10000;
+        tick->i_dts = tick->i_pts = VLC_TS_0 + cur_tick++ * 10000;
         es_out_Send (p_demux->out, p_sys->es, tick);
     }