From e81f6fca6f99e83338959f956b1f4d1e14602078 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Sat, 28 Jun 2008 22:12:00 +0000
Subject: [PATCH] Fixed segfault when parsing wav file to check for dts/a52.

---
 modules/demux/a52.c | 21 ++++++++++++---------
 modules/demux/dts.c | 34 ++++++++++++++++++----------------
 2 files changed, 30 insertions(+), 25 deletions(-)

diff --git a/modules/demux/a52.c b/modules/demux/a52.c
index fc675a52df..defb32b3b5 100644
--- a/modules/demux/a52.c
+++ b/modules/demux/a52.c
@@ -74,9 +74,9 @@ static int CheckSync( const uint8_t *p_peek, bool *p_big_endian );
 
 #define PCM_FRAME_SIZE (1536 * 4)
 #define A52_PACKET_SIZE (4 * PCM_FRAME_SIZE)
+#define A52_PROBE_SIZE (512*1024)
 #define A52_MAX_HEADER_SIZE 10
 
-
 /*****************************************************************************
  * Open: initializes ES structures
  *****************************************************************************/
@@ -89,24 +89,27 @@ static int Open( vlc_object_t * p_this )
     bool  b_big_endian = 0; /* Arbitrary initialisation */
 
     /* Check if we are dealing with a WAV file */
-    if( stream_Peek( p_demux->s, &p_peek, 12 ) == 12 &&
-        !memcmp( p_peek, "RIFF", 4 ) && !memcmp( p_peek + 8, "WAVE", 4 ) )
+    if( stream_Peek( p_demux->s, &p_peek, 12+8 ) == 12+8 &&
+        !memcmp( p_peek, "RIFF", 4 ) && !memcmp( &p_peek[8], "WAVE", 4 ) )
     {
-        int i_size;
-
         /* Skip the wave header */
         i_peek = 12 + 8;
-        while( stream_Peek( p_demux->s, &p_peek, i_peek ) == i_peek &&
-               memcmp( p_peek + i_peek - 8, "data", 4 ) )
+        while( memcmp( p_peek + i_peek - 8, "data", 4 ) )
         {
-            i_peek += GetDWLE( p_peek + i_peek - 4 ) + 8;
+            uint32_t i_len = GetDWLE( p_peek + i_peek - 4 );
+            if( i_len > A52_PROBE_SIZE || i_peek + i_len > A52_PROBE_SIZE )
+                return VLC_EGENERIC;
+
+            i_peek += i_len + 8;
+            if( stream_Peek( p_demux->s, &p_peek, i_peek ) != i_peek )
+                return VLC_EGENERIC;
         }
 
         /* TODO: should check wave format and sample_rate */
 
         /* Some A52 wav files don't begin with a sync code so we do a more
          * extensive search */
-        i_size = stream_Peek( p_demux->s, &p_peek, i_peek + A52_PACKET_SIZE * 2);
+        int i_size = stream_Peek( p_demux->s, &p_peek, i_peek + A52_PACKET_SIZE * 2);
         i_size -= (PCM_FRAME_SIZE + A52_MAX_HEADER_SIZE);
 
         while( i_peek < i_size )
diff --git a/modules/demux/dts.c b/modules/demux/dts.c
index 4b00f3a9c2..914c77b378 100644
--- a/modules/demux/dts.c
+++ b/modules/demux/dts.c
@@ -85,49 +85,51 @@ static int Open( vlc_object_t * p_this )
     if( stream_Peek( p_demux->s, &p_peek, 20 ) == 20 &&
         !memcmp( p_peek, "RIFF", 4 ) && !memcmp( &p_peek[8], "WAVE", 4 ) )
     {
-        int i_size;
-
         /* Find the wave format header */
-        i_peek = 20;
+        i_peek = 12 + 8;
         while( memcmp( p_peek + i_peek - 8, "fmt ", 4 ) )
         {
-            i_size = GetDWLE( p_peek + i_peek - 4 );
-            if( i_size + i_peek > DTS_PROBE_SIZE ) return VLC_EGENERIC;
-            i_peek += i_size + 8;
+            uint32_t i_len = GetDWLE( p_peek + i_peek - 4 );
+            if( i_len > DTS_PROBE_SIZE || i_peek + i_len > DTS_PROBE_SIZE )
+                return VLC_EGENERIC;
 
+            i_peek += i_len + 8;
             if( stream_Peek( p_demux->s, &p_peek, i_peek ) != i_peek )
                 return VLC_EGENERIC;
         }
 
         /* Sanity check the wave format header */
-        i_size = GetDWLE( p_peek + i_peek - 4 );
-        if( i_size + i_peek > DTS_PROBE_SIZE ) return VLC_EGENERIC;
-        i_peek += i_size + 8;
+        uint32_t i_len = GetDWLE( p_peek + i_peek - 4 );
+        if( i_len > DTS_PROBE_SIZE )
+            return VLC_EGENERIC;
+
+        i_peek += i_len + 8;
         if( stream_Peek( p_demux->s, &p_peek, i_peek ) != i_peek )
             return VLC_EGENERIC;
-        if( GetWLE( p_peek + i_peek - i_size - 8 /* wFormatTag */ ) !=
+        if( GetWLE( p_peek + i_peek - i_len - 8 /* wFormatTag */ ) !=
             1 /* WAVE_FORMAT_PCM */ )
             return VLC_EGENERIC;
-        if( GetWLE( p_peek + i_peek - i_size - 6 /* nChannels */ ) != 2 )
+        if( GetWLE( p_peek + i_peek - i_len - 6 /* nChannels */ ) != 2 )
             return VLC_EGENERIC;
-        if( GetDWLE( p_peek + i_peek - i_size - 4 /* nSamplesPerSec */ ) !=
+        if( GetDWLE( p_peek + i_peek - i_len - 4 /* nSamplesPerSec */ ) !=
             44100 )
             return VLC_EGENERIC;
 
         /* Skip the wave header */
         while( memcmp( p_peek + i_peek - 8, "data", 4 ) )
         {
-            i_size = GetDWLE( p_peek + i_peek - 4 );
-            if( i_size + i_peek > DTS_PROBE_SIZE ) return VLC_EGENERIC;
-            i_peek += i_size + 8;
+            uint32_t i_len = GetDWLE( p_peek + i_peek - 4 );
+            if( i_len > DTS_PROBE_SIZE || i_peek + i_len > DTS_PROBE_SIZE )
+                return VLC_EGENERIC;
 
+            i_peek += i_len + 8;
             if( stream_Peek( p_demux->s, &p_peek, i_peek ) != i_peek )
                 return VLC_EGENERIC;
         }
 
         /* Some DTS wav files don't begin with a sync code so we do a more
          * extensive search */
-        i_size = stream_Peek( p_demux->s, &p_peek, DTS_PROBE_SIZE );
+        int i_size = stream_Peek( p_demux->s, &p_peek, DTS_PROBE_SIZE );
         i_size -= DTS_MAX_HEADER_SIZE;
 
         while( i_peek < i_size )
-- 
2.39.5