X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavformat%2Fpaf.c;h=f48b2e60cd3798171ba2e1e406c5ef93235bc18f;hb=bc70684e74a185d7b80c8b80bdedda659cb581b8;hp=fa30cdd72a0c0e83516bb5404c834e5e0815317b;hpb=b8eb0827f053230dd919bc73e25381b47b4fe1a7;p=ffmpeg diff --git a/libavformat/paf.c b/libavformat/paf.c index fa30cdd72a0..f48b2e60cd3 100644 --- a/libavformat/paf.c +++ b/libavformat/paf.c @@ -53,7 +53,7 @@ typedef struct PAFDemuxContext { int got_audio; } PAFDemuxContext; -static int read_probe(AVProbeData *p) +static int read_probe(const AVProbeData *p) { if ((p->buf_size >= strlen(MAGIC)) && !memcmp(p->buf, MAGIC, strlen(MAGIC))) @@ -75,14 +75,18 @@ static int read_close(AVFormatContext *s) return 0; } -static void read_table(AVFormatContext *s, uint32_t *table, uint32_t count) +static int read_table(AVFormatContext *s, uint32_t *table, uint32_t count) { int i; - for (i = 0; i < count; i++) + for (i = 0; i < count; i++) { + if (avio_feof(s->pb)) + return AVERROR_INVALIDDATA; table[i] = avio_rl32(s->pb); + } avio_skip(s->pb, 4 * (FFALIGN(count, 512) - count)); + return 0; } static int read_header(AVFormatContext *s) @@ -132,6 +136,10 @@ static int read_header(AVFormatContext *s) p->start_offset = avio_rl32(pb); p->max_video_blks = avio_rl32(pb); p->max_audio_blks = avio_rl32(pb); + + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + if (p->buffer_size < 175 || p->max_audio_blks < 2 || p->max_video_blks < 1 || @@ -145,11 +153,11 @@ static int read_header(AVFormatContext *s) p->frame_blks > INT_MAX / sizeof(uint32_t)) return AVERROR_INVALIDDATA; - p->blocks_count_table = av_mallocz(p->nb_frames * + p->blocks_count_table = av_malloc_array(p->nb_frames, sizeof(*p->blocks_count_table)); - p->frames_offset_table = av_mallocz(p->nb_frames * + p->frames_offset_table = av_malloc_array(p->nb_frames, sizeof(*p->frames_offset_table)); - p->blocks_offset_table = av_mallocz(p->frame_blks * + p->blocks_offset_table = av_malloc_array(p->frame_blks, sizeof(*p->blocks_offset_table)); p->video_size = p->max_video_blks * p->buffer_size; @@ -171,9 +179,15 @@ static int read_header(AVFormatContext *s) avio_seek(pb, p->buffer_size, SEEK_SET); - read_table(s, p->blocks_count_table, p->nb_frames); - read_table(s, p->frames_offset_table, p->nb_frames); - read_table(s, p->blocks_offset_table, p->frame_blks); + ret = read_table(s, p->blocks_count_table, p->nb_frames); + if (ret < 0) + goto fail; + ret = read_table(s, p->frames_offset_table, p->nb_frames); + if (ret < 0) + goto fail; + ret = read_table(s, p->blocks_offset_table, p->frame_blks); + if (ret < 0) + goto fail; p->got_audio = 0; p->current_frame = 0; @@ -194,7 +208,7 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) PAFDemuxContext *p = s->priv_data; AVIOContext *pb = s->pb; uint32_t count, offset; - int size, i; + int size, i, ret; if (p->current_frame >= p->nb_frames) return AVERROR_EOF; @@ -203,8 +217,8 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) return AVERROR_EOF; if (p->got_audio) { - if (av_new_packet(pkt, p->audio_size) < 0) - return AVERROR(ENOMEM); + if ((ret = av_new_packet(pkt, p->audio_size)) < 0) + return ret; memcpy(pkt->data, p->temp_audio_frame, p->audio_size); pkt->duration = PAF_SOUND_SAMPLES * (p->audio_size / PAF_SOUND_FRAME_SIZE); @@ -244,8 +258,8 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) size = p->video_size - p->frames_offset_table[p->current_frame]; - if (av_new_packet(pkt, size) < 0) - return AVERROR(ENOMEM); + if ((ret = av_new_packet(pkt, size)) < 0) + return ret; pkt->stream_index = 0; pkt->duration = 1; @@ -257,7 +271,7 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) return pkt->size; } -AVInputFormat ff_paf_demuxer = { +const AVInputFormat ff_paf_demuxer = { .name = "paf", .long_name = NULL_IF_CONFIG_SMALL("Amazing Studio Packed Animation File"), .priv_data_size = sizeof(PAFDemuxContext),