X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;ds=sidebyside;f=libavformat%2Fmpc8.c;h=b12a417f63239db9cbed402a04c77987a6da4179;hb=ef6a9e5e311f09fa8032974fa4d0c1e166a959bb;hp=0eb879ffc0d959c67f8fc63ff042b4546567bb5c;hpb=3e076faf3b86bb16f746e7c9b0cf3dac5f9a851a;p=ffmpeg diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 0eb879ffc0d..b12a417f632 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -127,7 +127,11 @@ static void mpc8_get_chunk_header(AVIOContext *pb, int *tag, int64_t *size) pos = avio_tell(pb); *tag = avio_rl16(pb); *size = ffio_read_varlen(pb); - *size -= avio_tell(pb) - pos; + pos -= avio_tell(pb); + if (av_sat_add64(*size, pos) != (uint64_t)*size + pos) { + *size = -1; + } else + *size += pos; } static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) @@ -168,6 +172,7 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) size = gb_get_v(&gb); if(size > UINT_MAX/4 || size > c->samples/1152){ av_log(s, AV_LOG_ERROR, "Seek table is too big\n"); + av_free(buf); return; } seekd = get_bits(&gb, 4); @@ -177,12 +182,16 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) av_add_index_entry(s->streams[0], pos, i, 0, 0, AVINDEX_KEYFRAME); } for(; i < size; i++){ + if (get_bits_left(&gb) < 13) { + av_free(buf); + return; + } t = get_unary(&gb, 1, 33) << 12; t += get_bits(&gb, 12); if(t & 1) t = -(t & ~1); - pos = (t >> 1) + ppos[0]*2 - ppos[1]; - av_add_index_entry(s->streams[0], pos, i << seekd, 0, 0, AVINDEX_KEYFRAME); + pos = (t >> 1) + (uint64_t)ppos[0]*2 - ppos[1]; + av_add_index_entry(s->streams[0], pos, (int64_t)i << seekd, 0, 0, AVINDEX_KEYFRAME); ppos[1] = ppos[0]; ppos[0] = pos; } @@ -211,7 +220,7 @@ static int mpc8_read_header(AVFormatContext *s) MPCContext *c = s->priv_data; AVIOContext *pb = s->pb; AVStream *st; - int tag = 0; + int tag = 0, ret; int64_t size, pos; c->header_pos = avio_tell(pb); @@ -252,12 +261,12 @@ static int mpc8_read_header(AVFormatContext *s) st->codecpar->codec_id = AV_CODEC_ID_MUSEPACK8; st->codecpar->bits_per_coded_sample = 16; - if (ff_get_extradata(s, st->codecpar, pb, 2) < 0) - return AVERROR(ENOMEM); + if ((ret = ff_get_extradata(s, st->codecpar, pb, 2)) < 0) + return ret; st->codecpar->channels = (st->codecpar->extradata[1] >> 4) + 1; st->codecpar->sample_rate = mpc8_rate[st->codecpar->extradata[0] >> 5]; - avpriv_set_pts_info(st, 32, 1152 << (st->codecpar->extradata[1]&3)*2, st->codecpar->sample_rate); + avpriv_set_pts_info(st, 64, 1152 << (st->codecpar->extradata[1]&3)*2, st->codecpar->sample_rate); st->start_time = 0; st->duration = c->samples / (1152 << (st->codecpar->extradata[1]&3)*2); size -= avio_tell(pb) - pos; @@ -276,7 +285,7 @@ static int mpc8_read_header(AVFormatContext *s) static int mpc8_read_packet(AVFormatContext *s, AVPacket *pkt) { MPCContext *c = s->priv_data; - int tag; + int tag, ret; int64_t pos, size; while(!avio_feof(s->pb)){ @@ -287,11 +296,11 @@ static int mpc8_read_packet(AVFormatContext *s, AVPacket *pkt) return AVERROR_EOF; mpc8_get_chunk_header(s->pb, &tag, &size); - if (size < 0) + if (size < 0 || size > INT_MAX) return -1; if(tag == TAG_AUDIOPACKET){ - if(av_get_packet(s->pb, pkt, size) < 0) - return AVERROR(ENOMEM); + if ((ret = av_get_packet(s->pb, pkt, size)) < 0) + return ret; pkt->stream_index = 0; pkt->duration = 1; return 0; @@ -309,9 +318,9 @@ static int mpc8_read_seek(AVFormatContext *s, int stream_index, int64_t timestam int index = av_index_search_timestamp(st, timestamp, flags); if(index < 0) return -1; - if (avio_seek(s->pb, st->index_entries[index].pos, SEEK_SET) < 0) + if (avio_seek(s->pb, st->internal->index_entries[index].pos, SEEK_SET) < 0) return -1; - ff_update_cur_dts(s, st, st->index_entries[index].timestamp); + ff_update_cur_dts(s, st, st->internal->index_entries[index].timestamp); return 0; }