diff options
| author | Darren Salt <linux@youmustbejoking.demon.co.uk> | 2009-01-18 16:36:31 +0000 |
|---|---|---|
| committer | Darren Salt <linux@youmustbejoking.demon.co.uk> | 2009-01-18 16:36:31 +0000 |
| commit | c62b455944c8c91bd4d9ae5e8000ec33190174c5 (patch) | |
| tree | 3578282592cd5a84e330fd4c41a3c6afa7d50d17 /src | |
| parent | d797ae8a0d0e011515b37e76cbc0c0b869714ea3 (diff) | |
| parent | f4b5e62eb102b684ea206112d09cfcbc05e1e91e (diff) | |
| download | xine-lib-c62b455944c8c91bd4d9ae5e8000ec33190174c5.tar.gz xine-lib-c62b455944c8c91bd4d9ae5e8000ec33190174c5.tar.bz2 | |
Merge from 1.1.
Diffstat (limited to 'src')
| -rw-r--r-- | src/demuxers/demux_real.c | 34 | ||||
| -rw-r--r-- | src/input/libreal/rmff.c | 27 |
2 files changed, 55 insertions, 6 deletions
diff --git a/src/demuxers/demux_real.c b/src/demuxers/demux_real.c index 376eb63b2..d416ebeca 100644 --- a/src/demuxers/demux_real.c +++ b/src/demuxers/demux_real.c @@ -265,8 +265,12 @@ static void real_parse_index(demux_real_t *this) { this->input->seek(this->input, original_pos, SEEK_SET); } -static mdpr_t *real_parse_mdpr(const char *data) { - mdpr_t *mdpr=malloc(sizeof(mdpr_t)); +static mdpr_t *real_parse_mdpr(const char *data, const unsigned int size) +{ + if (size < 38) + return NULL; + + mdpr_t *mdpr=calloc(sizeof(mdpr_t), 1); mdpr->stream_number=_X_BE_16(&data[2]); mdpr->max_bit_rate=_X_BE_32(&data[4]); @@ -278,13 +282,25 @@ static mdpr_t *real_parse_mdpr(const char *data) { mdpr->duration=_X_BE_32(&data[28]); mdpr->stream_name_size=data[32]; + if (size < 38 + mdpr->stream_name_size) + goto fail; mdpr->stream_name=xine_memdup0(&data[33], mdpr->stream_name_size); + if (!mdpr->stream_name) + goto fail; mdpr->mime_type_size=data[33+mdpr->stream_name_size]; + if (size < 38 + mdpr->stream_name_size + mdpr->mime_type_size) + goto fail; mdpr->mime_type=xine_memdup0(&data[34+mdpr->stream_name_size], mdpr->mime_type_size); + if (!mdpr->mime_type) + goto fail; mdpr->type_specific_len=_X_BE_32(&data[34+mdpr->stream_name_size+mdpr->mime_type_size]); + if (size < 38 + mdpr->stream_name_size + mdpr->mime_type_size + mdpr->type_specific_data) + goto fail; mdpr->type_specific_data=xine_memdup(&data[38+mdpr->stream_name_size+mdpr->mime_type_size], mdpr->type_specific_len); + if (!mdpr->type_specific_data) + goto fail; lprintf("MDPR: stream number: %i\n", mdpr->stream_number); lprintf("MDPR: maximal bit rate: %i\n", mdpr->max_bit_rate); @@ -302,6 +318,13 @@ static mdpr_t *real_parse_mdpr(const char *data) { #endif return mdpr; + +fail: + free (mdpr->stream_name); + free (mdpr->mime_type); + free (mdpr->type_specific_data); + free (mdpr); + return NULL; } static void real_free_mdpr (mdpr_t *mdpr) { @@ -485,9 +508,14 @@ static void real_parse_headers (demux_real_t *this) { continue; } - mdpr_t *const mdpr = real_parse_mdpr (chunk_buffer); + mdpr_t *const mdpr = real_parse_mdpr (chunk_buffer, chunk_size); lprintf ("parsing type specific data...\n"); + if (!mdpr) { + free (chunk_buffer); + this->status = DEMUX_FINISHED; + return; + } if(!strcmp(mdpr->mime_type, "audio/X-MP3-draft-00")) { lprintf ("mpeg layer 3 audio detected...\n"); diff --git a/src/input/libreal/rmff.c b/src/input/libreal/rmff.c index 8142246b6..d4b6ad2e1 100644 --- a/src/input/libreal/rmff.c +++ b/src/input/libreal/rmff.c @@ -334,12 +334,14 @@ static rmff_prop_t *rmff_scan_prop(const char *data) { return prop; } -static rmff_mdpr_t *rmff_scan_mdpr(const char *data) { - - rmff_mdpr_t *mdpr = malloc(sizeof(rmff_mdpr_t)); +static rmff_mdpr_t *rmff_scan_mdpr(const char *data) +{ + rmff_mdpr_t *mdpr = calloc(sizeof(rmff_mdpr_t), 1); mdpr->object_id=_X_BE_32(data); mdpr->size=_X_BE_32(&data[4]); + if (mdpr->size < 46) + goto fail; mdpr->object_version=_X_BE_16(&data[8]); if (mdpr->object_version != 0) { @@ -355,15 +357,34 @@ static rmff_mdpr_t *rmff_scan_mdpr(const char *data) { mdpr->duration=_X_BE_32(&data[36]); mdpr->stream_name_size=data[40]; + if (mdpr->size < 46 + mdpr->stream_name_size) + goto fail; mdpr->stream_name = xine_memdup0(&data[41], mdpr->stream_name_size); + if (!mdpr->stream_name) + goto fail; mdpr->mime_type_size=data[41+mdpr->stream_name_size]; + if (mdpr->size < 46 + mdpr->stream_name_size + mdpr->mime_type_size) + goto fail; mdpr->mime_type = xine_memdup0(&data[42+mdpr->stream_name_size], mdpr->mime_type_size); + if (!mdpr->mime_type) + goto fail; mdpr->type_specific_len=_X_BE_32(&data[42+mdpr->stream_name_size+mdpr->mime_type_size]); + if (mdpr->size < 46 + mdpr->stream_name_size + mdpr->mime_type_size + mdpr->type_specific_data) + goto fail; mdpr->type_specific_data = xine_memdup(&data[46+mdpr->stream_name_size+mdpr->mime_type_size], mdpr->type_specific_len); + if (!mdpr->type_specific_data) + goto fail; return mdpr; + +fail: + free (mdpr->stream_name); + free (mdpr->mime_type); + free (mdpr->type_specific_data); + free (mdpr); + return NULL; } static rmff_cont_t *rmff_scan_cont(const char *data) { |