5d595b79bd
Fix for stack buffer overflow vulnerability while parsing malformed TwinVQ media files. From upstream SVN. ok biorn@
57 lines
2.4 KiB
Plaintext
57 lines
2.4 KiB
Plaintext
$OpenBSD: patch-libmpdemux_demux_vqf_c,v 1.1 2008/12/15 21:30:07 naddy Exp $
|
|
--- libmpdemux/demux_vqf.c.orig Sun Oct 7 21:49:33 2007
|
|
+++ libmpdemux/demux_vqf.c Mon Dec 15 19:10:38 2008
|
|
@@ -50,11 +50,14 @@ static demuxer_t* demux_open_vqf(demuxer_t* demuxer) {
|
|
unsigned chunk_size;
|
|
hi->size=chunk_size=stream_read_dword(s); /* include itself */
|
|
stream_read(s,chunk_id,4);
|
|
+ if (chunk_size < 8) return NULL;
|
|
+ chunk_size -= 8;
|
|
if(*((uint32_t *)&chunk_id[0])==mmioFOURCC('C','O','M','M'))
|
|
{
|
|
- char buf[chunk_size-8];
|
|
+ char buf[BUFSIZ];
|
|
unsigned i,subchunk_size;
|
|
- if(stream_read(s,buf,chunk_size-8)!=chunk_size-8) return NULL;
|
|
+ if (chunk_size > sizeof(buf) || chunk_size < 20) return NULL;
|
|
+ if(stream_read(s,buf,chunk_size)!=chunk_size) return NULL;
|
|
i=0;
|
|
subchunk_size=be2me_32(*((uint32_t *)&buf[0]));
|
|
hi->channelMode=be2me_32(*((uint32_t *)&buf[4]));
|
|
@@ -83,13 +86,15 @@ static demuxer_t* demux_open_vqf(demuxer_t* demuxer) {
|
|
sh_audio->samplesize = 4;
|
|
w->wBitsPerSample = 8*sh_audio->samplesize;
|
|
w->cbSize = 0;
|
|
+ if (subchunk_size > chunk_size - 4) continue;
|
|
i+=subchunk_size+4;
|
|
- while(i<chunk_size-8)
|
|
+ while(i + 8 < chunk_size)
|
|
{
|
|
unsigned slen,sid;
|
|
- char sdata[chunk_size];
|
|
+ char sdata[BUFSIZ];
|
|
sid=*((uint32_t *)&buf[i]); i+=4;
|
|
slen=be2me_32(*((uint32_t *)&buf[i])); i+=4;
|
|
+ if (slen > sizeof(sdata) - 1 || slen > chunk_size - i) break;
|
|
if(sid==mmioFOURCC('D','S','I','Z'))
|
|
{
|
|
hi->Dsiz=be2me_32(*((uint32_t *)&buf[i]));
|
|
@@ -141,7 +146,7 @@ static demuxer_t* demux_open_vqf(demuxer_t* demuxer) {
|
|
if(*((uint32_t *)&chunk_id[0])==mmioFOURCC('D','A','T','A'))
|
|
{
|
|
demuxer->movi_start=stream_tell(s);
|
|
- demuxer->movi_end=demuxer->movi_start+chunk_size-8;
|
|
+ demuxer->movi_end=demuxer->movi_start+chunk_size;
|
|
mp_msg(MSGT_DEMUX, MSGL_V, "Found data at %"PRIX64" size %"PRIu64"\n",demuxer->movi_start,demuxer->movi_end);
|
|
/* Done! play it */
|
|
break;
|
|
@@ -149,7 +154,7 @@ static demuxer_t* demux_open_vqf(demuxer_t* demuxer) {
|
|
else
|
|
{
|
|
mp_msg(MSGT_DEMUX, MSGL_V, "Unhandled chunk '%c%c%c%c' %u bytes\n",((char *)&chunk_id)[0],((char *)&chunk_id)[1],((char *)&chunk_id)[2],((char *)&chunk_id)[3],chunk_size);
|
|
- stream_skip(s,chunk_size-8); /*unknown chunk type */
|
|
+ stream_skip(s,chunk_size); /*unknown chunk type */
|
|
}
|
|
}
|
|
|