X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavformat%2Fmms.c;h=fb16a3c9ef0a8f7440aefea42bb4c100080d67be;hb=b5aa48551300eed678aaea86ced7086758598a35;hp=73f4e6b671af3cdbf16090439b7332f35fd54acb;hpb=67197656d19fa9e084e47b5331c262a9c7842335;p=ffmpeg diff --git a/libavformat/mms.c b/libavformat/mms.c index 73f4e6b671a..fb16a3c9ef0 100644 --- a/libavformat/mms.c +++ b/libavformat/mms.c @@ -1,29 +1,31 @@ /* * MMS protocol common definitions. * Copyright (c) 2006,2007 Ryan Martell - * Copyright (c) 2007 Björn Axelsson + * Copyright (c) 2007 Björn Axelsson * Copyright (c) 2010 Zhentan Feng * - * This file is part of FFmpeg. + * This file is part of Libav. * - * FFmpeg is free software; you can redistribute it and/or + * Libav is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * FFmpeg is distributed in the hope that it will be useful, + * Libav is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with FFmpeg; if not, write to the Free Software + * License along with Libav; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ #include "mms.h" #include "asf.h" #include "libavutil/intreadwrite.h" +#define MMS_MAX_STREAMS 256 /**< arbitrary sanity check value */ + int ff_mms_read_header(MMSContext *mms, uint8_t *buf, const int size) { char *pos; @@ -97,7 +99,7 @@ int ff_mms_asf_header_parser(MMSContext *mms) //The second condition is for checking CS_PKT_STREAM_ID_REQUEST packet size, //we can calcuate the packet size by stream_num. //Please see function send_stream_selection_request(). - if (mms->stream_num < MAX_STREAMS && + if (mms->stream_num < MMS_MAX_STREAMS && 46 + mms->stream_num * 6 < sizeof(mms->out_buffer)) { mms->streams = av_fast_realloc(mms->streams, &mms->nb_streams_allocated, @@ -109,6 +111,34 @@ int ff_mms_asf_header_parser(MMSContext *mms) "Corrupt stream (too many A/V streams)\n"); return AVERROR_INVALIDDATA; } + } else if (!memcmp(p, ff_asf_ext_stream_header, sizeof(ff_asf_guid))) { + if (end - p >= 88) { + int stream_count = AV_RL16(p + 84), ext_len_count = AV_RL16(p + 86); + uint64_t skip_bytes = 88; + while (stream_count--) { + if (end - p < skip_bytes + 4) { + av_log(NULL, AV_LOG_ERROR, + "Corrupt stream (next stream name length is not in the buffer)\n"); + return AVERROR_INVALIDDATA; + } + skip_bytes += 4 + AV_RL16(p + skip_bytes + 2); + } + while (ext_len_count--) { + if (end - p < skip_bytes + 22) { + av_log(NULL, AV_LOG_ERROR, + "Corrupt stream (next extension system info length is not in the buffer)\n"); + return AVERROR_INVALIDDATA; + } + skip_bytes += 22 + AV_RL32(p + skip_bytes + 18); + } + if (end - p < skip_bytes) { + av_log(NULL, AV_LOG_ERROR, + "Corrupt stream (the last extension system info length is invalid)\n"); + return AVERROR_INVALIDDATA; + } + if (chunksize - skip_bytes > 24) + chunksize = skip_bytes; + } } else if (!memcmp(p, ff_asf_head1_guid, sizeof(ff_asf_guid))) { chunksize = 46; // see references [2] section 3.4. This should be set 46. }