X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavformat%2Fmms.c;h=16babc095424726e0430ef0465b3b7d5919e4e63;hb=4390573c44a47e0bed4790a45934006df7ee1e2f;hp=17fa76a8d44d67f32acfae3b81def50ae6e1536b;hpb=0ac379863231dbf84a97a01845c6d00cc00610c1;p=ffmpeg diff --git a/libavformat/mms.c b/libavformat/mms.c index 17fa76a8d44..16babc09542 100644 --- a/libavformat/mms.c +++ b/libavformat/mms.c @@ -60,7 +60,7 @@ int ff_mms_asf_header_parser(MMSContext *mms) if (mms->asf_header_size < sizeof(ff_asf_guid) * 2 + 22 || memcmp(p, ff_asf_header, sizeof(ff_asf_guid))) { - av_log(NULL, AV_LOG_ERROR, + av_log(mms->mms_hd, AV_LOG_ERROR, "Corrupt stream (invalid ASF header, size=%d)\n", mms->asf_header_size); return AVERROR_INVALIDDATA; @@ -77,7 +77,7 @@ int ff_mms_asf_header_parser(MMSContext *mms) chunksize = AV_RL64(p + sizeof(ff_asf_guid)); } if (!chunksize || chunksize > end - p) { - av_log(NULL, AV_LOG_ERROR, + av_log(mms->mms_hd, AV_LOG_ERROR, "Corrupt stream (header chunksize %"PRId64" is invalid)\n", chunksize); return AVERROR_INVALIDDATA; @@ -87,31 +87,33 @@ int ff_mms_asf_header_parser(MMSContext *mms) if (end - p > sizeof(ff_asf_guid) * 2 + 68) { mms->asf_packet_len = AV_RL32(p + sizeof(ff_asf_guid) * 2 + 64); if (mms->asf_packet_len <= 0 || mms->asf_packet_len > sizeof(mms->in_buffer)) { - av_log(NULL, AV_LOG_ERROR, + av_log(mms->mms_hd, AV_LOG_ERROR, "Corrupt stream (too large pkt_len %d)\n", mms->asf_packet_len); return AVERROR_INVALIDDATA; } } } else if (!memcmp(p, ff_asf_stream_header, sizeof(ff_asf_guid))) { - flags = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24); - stream_id = flags & 0x7F; - //The second condition is for checking CS_PKT_STREAM_ID_REQUEST packet size, - //we can calculate the packet size by stream_num. - //Please see function send_stream_selection_request(). - if (mms->stream_num < MMS_MAX_STREAMS && - 46 + mms->stream_num * 6 < sizeof(mms->out_buffer)) { - mms->streams = av_fast_realloc(mms->streams, - &mms->nb_streams_allocated, - (mms->stream_num + 1) * sizeof(MMSStream)); - if (!mms->streams) - return AVERROR(ENOMEM); - mms->streams[mms->stream_num].id = stream_id; - mms->stream_num++; - } else { - av_log(NULL, AV_LOG_ERROR, - "Corrupt stream (too many A/V streams)\n"); - return AVERROR_INVALIDDATA; + if (end - p >= (sizeof(ff_asf_guid) * 3 + 26)) { + flags = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24); + stream_id = flags & 0x7F; + //The second condition is for checking CS_PKT_STREAM_ID_REQUEST packet size, + //we can calculate the packet size by stream_num. + //Please see function send_stream_selection_request(). + if (mms->stream_num < MMS_MAX_STREAMS && + 46 + mms->stream_num * 6 < sizeof(mms->out_buffer)) { + mms->streams = av_fast_realloc(mms->streams, + &mms->nb_streams_allocated, + (mms->stream_num + 1) * sizeof(MMSStream)); + if (!mms->streams) + return AVERROR(ENOMEM); + mms->streams[mms->stream_num].id = stream_id; + mms->stream_num++; + } else { + av_log(mms->mms_hd, AV_LOG_ERROR, + "Corrupt stream (too many A/V streams)\n"); + return AVERROR_INVALIDDATA; + } } } else if (!memcmp(p, ff_asf_ext_stream_header, sizeof(ff_asf_guid))) { if (end - p >= 88) { @@ -119,7 +121,7 @@ int ff_mms_asf_header_parser(MMSContext *mms) uint64_t skip_bytes = 88; while (stream_count--) { if (end - p < skip_bytes + 4) { - av_log(NULL, AV_LOG_ERROR, + av_log(mms->mms_hd, AV_LOG_ERROR, "Corrupt stream (next stream name length is not in the buffer)\n"); return AVERROR_INVALIDDATA; } @@ -127,14 +129,14 @@ int ff_mms_asf_header_parser(MMSContext *mms) } while (ext_len_count--) { if (end - p < skip_bytes + 22) { - av_log(NULL, AV_LOG_ERROR, + av_log(mms->mms_hd, AV_LOG_ERROR, "Corrupt stream (next extension system info length is not in the buffer)\n"); return AVERROR_INVALIDDATA; } skip_bytes += 22 + AV_RL32(p + skip_bytes + 18); } if (end - p < skip_bytes) { - av_log(NULL, AV_LOG_ERROR, + av_log(mms->mms_hd, AV_LOG_ERROR, "Corrupt stream (the last extension system info length is invalid)\n"); return AVERROR_INVALIDDATA; } @@ -143,6 +145,12 @@ int ff_mms_asf_header_parser(MMSContext *mms) } } else if (!memcmp(p, ff_asf_head1_guid, sizeof(ff_asf_guid))) { chunksize = 46; // see references [2] section 3.4. This should be set 46. + if (chunksize > end - p) { + av_log(mms->mms_hd, AV_LOG_ERROR, + "Corrupt stream (header chunksize %"PRId64" is invalid)\n", + chunksize); + return AVERROR_INVALIDDATA; + } } p += chunksize; }