From 8b44be54e7563b5f67e4ee1c5d4b20f32164c7b7 Mon Sep 17 00:00:00 2001 From: wm4 Date: Fri, 19 Jun 2015 21:43:55 +0200 Subject: demux_mkv: stricter realaudio extradata handling Verify memory accesses and such. The behavior should be equivalent. (RealAudio causes pain for everyone even in its grave.) --- demux/demux_mkv.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) (limited to 'demux/demux_mkv.c') diff --git a/demux/demux_mkv.c b/demux/demux_mkv.c index 773a8a288a..e4c93f93ed 100644 --- a/demux/demux_mkv.c +++ b/demux/demux_mkv.c @@ -1426,12 +1426,14 @@ static int demux_mkv_open_audio(demuxer_t *demuxer, mkv_track_t *track) track->sub_packet_h = AV_RB16(src + 40); sh_a->block_align = track->audiopk_size = AV_RB16(src + 42); track->sub_packet_size = AV_RB16(src + 44); + int offset = 0; if (version == 4) { - src += RAPROPERTIES4_SIZE; - src += src[0] + 1; - src += src[0] + 1; + offset += RAPROPERTIES4_SIZE; + if (offset + 1 > track->private_size) + goto error; + offset += (src[offset] + 1) * 2 + 3; } else { - src += RAPROPERTIES5_SIZE; + offset += RAPROPERTIES5_SIZE + 3 + (version == 5 ? 1 : 0); } if (track->audiopk_size == 0 || track->sub_packet_size == 0 || @@ -1440,15 +1442,15 @@ static int demux_mkv_open_audio(demuxer_t *demuxer, mkv_track_t *track) if (track->coded_framesize > 0x40000000) goto error; - src += 3; - if (version == 5) - src++; - uint32_t codecdata_length = AV_RB32(src); - if (codecdata_length > 0x1000000) + if (offset + 4 > track->private_size) + goto error; + uint32_t codecdata_length = AV_RB32(src + offset); + offset += 4; + if (offset > track->private_size || + codecdata_length > track->private_size - offset) goto error; - src += 4; extradata_len = codecdata_length; - extradata = src; + extradata = src + offset; if (!strcmp(track->codec_id, "A_REAL/ATRC")) { sh->codec = "atrac3"; -- cgit v1.2.3