From 97cdf31e3a618e2b4dcbd5ddf79dd8bcfc3a6533 Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Thu, 2 Apr 2009 03:54:35 +0100 Subject: ID3v2 tags with zero-length content are allowed. --- src/demuxers/id3.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/demuxers') diff --git a/src/demuxers/id3.c b/src/demuxers/id3.c index ba8f50676..db5bba8f6 100644 --- a/src/demuxers/id3.c +++ b/src/demuxers/id3.c @@ -373,7 +373,7 @@ static int id3v22_parse_tag(input_plugin_t *input, while ((pos + ID3V22_FRAME_HEADER_SIZE) <= tag_header.size) { if (id3v22_parse_frame_header(input, &tag_frame_header)) { pos += ID3V22_FRAME_HEADER_SIZE; - if (tag_frame_header.id && tag_frame_header.size) { + if (tag_frame_header.id) { if ((pos + tag_frame_header.size) <= tag_header.size) { if (!id3v22_interp_frame(input, stream, &tag_frame_header)) { xprintf(stream->xine, XINE_VERBOSITY_DEBUG, @@ -570,7 +570,7 @@ static int id3v23_parse_tag(input_plugin_t *input, while ((pos + ID3V23_FRAME_HEADER_SIZE) <= tag_header.size) { if (id3v23_parse_frame_header(input, &tag_frame_header)) { pos += ID3V23_FRAME_HEADER_SIZE; - if (tag_frame_header.id && tag_frame_header.size) { + if (tag_frame_header.id) { if ((pos + tag_frame_header.size) <= tag_header.size) { if (!id3v23_interp_frame(input, stream, &tag_frame_header)) { xprintf(stream->xine, XINE_VERBOSITY_DEBUG, @@ -826,7 +826,7 @@ static int id3v24_parse_tag(input_plugin_t *input, while ((pos + ID3V24_FRAME_HEADER_SIZE) <= tag_header.size) { if (id3v24_parse_frame_header(input, &tag_frame_header)) { pos += ID3V24_FRAME_HEADER_SIZE; - if (tag_frame_header.id && tag_frame_header.size) { + if (tag_frame_header.id) { if ((pos + tag_frame_header.size) <= tag_header.size) { if (!id3v24_interp_frame(input, stream, &tag_frame_header)) { xprintf(stream->xine, XINE_VERBOSITY_DEBUG, -- cgit v1.2.3 From 20ec585fdc3280fd2acd9ec6f544004544ceb76d Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Thu, 2 Apr 2009 03:55:02 +0100 Subject: Fix up some warnings found while debugging the ID3v2 code. --- src/demuxers/id3.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'src/demuxers') diff --git a/src/demuxers/id3.c b/src/demuxers/id3.c index db5bba8f6..c6f261468 100644 --- a/src/demuxers/id3.c +++ b/src/demuxers/id3.c @@ -241,7 +241,7 @@ static int id3v2_parse_header(input_plugin_t *input, uint8_t *mp3_frame_header, lprintf("tag: ID3 v2.%d.%d\n", mp3_frame_header[3], tag_header->revision); lprintf("flags: %d\n", tag_header->flags); - lprintf("size: %d\n", tag_header->size); + lprintf("size: %zu\n", tag_header->size); return 1; } else { return 0; @@ -261,7 +261,7 @@ static int id3v22_parse_frame_header(input_plugin_t *input, frame_header->size = _X_BE_24_synchsafe(&buf[3]); - lprintf("frame: %c%c%c: size: %d\n", buf[0], buf[1], buf[2], + lprintf("frame: %c%c%c: size: %zu\n", buf[0], buf[1], buf[2], frame_header->size); return 1; @@ -417,7 +417,7 @@ static int id3v23_parse_frame_header(input_plugin_t *input, frame_header->size = _X_BE_32(&buf[4]); frame_header->flags = _X_BE_16(buf + 8); - lprintf("frame: %c%c%c%c, size: %d, flags: %X\n", buf[0], buf[1], buf[2], buf[3], + lprintf("frame: %c%c%c%c, size: %zu, flags: %X\n", buf[0], buf[1], buf[2], buf[3], frame_header->size, frame_header->flags); return 1; @@ -453,11 +453,11 @@ static int id3v23_parse_frame_ext_header(input_plugin_t *input, } } else { - lprintf("invalid ext header size: %d\n", frame_ext_header->size); + lprintf("invalid ext header size: %zu\n", frame_ext_header->size); return 0; } - lprintf("ext header: size: %d, flags: %X, padding_size: %d, crc: %d\n", + lprintf("ext header: size: %zu, flags: %X, padding_size: %d, crc: %d\n", frame_ext_header->size, frame_ext_header->flags, frame_ext_header->padding_size, frame_ext_header->crc); return 1; @@ -585,7 +585,7 @@ static int id3v23_parse_tag(input_plugin_t *input, pos += tag_frame_header.size; } else { /* end of frames, the rest is padding */ - lprintf("skipping padding %d bytes\n", tag_header.size - pos); + lprintf("skipping padding %zu bytes\n", tag_header.size - pos); input->seek (input, tag_header.size - pos, SEEK_CUR); return 1; } @@ -631,7 +631,7 @@ static int id3v24_parse_frame_header(input_plugin_t *input, frame_header->size = _X_BE_32_synchsafe(&buf[4]); frame_header->flags = _X_BE_16(&buf[8]); - lprintf("frame: %c%c%c%c, size: %d, flags: %X\n", buf[0], buf[1], buf[2], buf[3], + lprintf("frame: %c%c%c%c, size: %zu, flags: %X\n", buf[0], buf[1], buf[2], buf[3], frame_header->size, frame_header->flags); return 1; @@ -711,7 +711,7 @@ static int id3v24_parse_ext_header(input_plugin_t *input, } else { return 0; } - lprintf("ext header: size: %d, flags: %X, crc: %d, restrictions: %8X\n", + lprintf("ext header: size: %zu, flags: %X, crc: %d, restrictions: %8X\n", frame_ext_header->size, frame_ext_header->flags, frame_ext_header->crc, frame_ext_header->restrictions); return 1; -- cgit v1.2.3 From 7e63be8ffb88c1fe981c7cf39c535a5553e35b31 Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Sun, 8 Mar 2009 16:54:39 +0000 Subject: Fix another possible 4xm demuxer integer overflow. --HG-- extra : transplant_source : U%AF%FD%B5%60%27Y%7F%B5Q%F796%F7a%98%F0k%B8%EF --- src/demuxers/demux_4xm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/demuxers') diff --git a/src/demuxers/demux_4xm.c b/src/demuxers/demux_4xm.c index 015ed8b2f..397a271b8 100644 --- a/src/demuxers/demux_4xm.c +++ b/src/demuxers/demux_4xm.c @@ -190,9 +190,9 @@ static int open_fourxm_file(demux_fourxm_t *fourxm) { return 0; } const uint32_t current_track = _X_LE_32(&header[i + 8]); - if (current_track + 1 > fourxm->track_count) { + if (current_track >= fourxm->track_count) { fourxm->track_count = current_track + 1; - if (fourxm->track_count >= UINT_MAX / sizeof(audio_track_t)) { + if (!fourxm->track_count || fourxm->track_count >= UINT_MAX / sizeof(audio_track_t)) { free(header); return 0; } -- cgit v1.2.3 From 1e81086a8196e09868e3726609b322f6acfabd04 Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Wed, 1 Apr 2009 02:49:51 +0100 Subject: Fix an integer overflow in the Quicktime demuxer. --HG-- extra : transplant_source : %AE%D3%DCw%0F%073h%5D%C0%B5%A7%BA%2B%95%81%95bT%D6 --- src/demuxers/demux_qt.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'src/demuxers') diff --git a/src/demuxers/demux_qt.c b/src/demuxers/demux_qt.c index 4ad71e958..5aba5b479 100644 --- a/src/demuxers/demux_qt.c +++ b/src/demuxers/demux_qt.c @@ -1535,7 +1535,8 @@ static qt_error parse_trak_atom (qt_trak *trak, } else if (current_atom == STTS_ATOM) { /* there should only be one of these atoms */ - if (trak->time_to_sample_table) { + if (trak->time_to_sample_table + || current_atom_size < 12 || current_atom_size >= UINT_MAX) { last_error = QT_HEADER_TROUBLE; goto free_trak; } @@ -1545,6 +1546,11 @@ static qt_error parse_trak_atom (qt_trak *trak, debug_atom_load(" qt stts atom (time-to-sample atom): %d entries\n", trak->time_to_sample_count); + if (trak->time_to_sample_count > (current_atom_size - 12) / 8) { + last_error = QT_HEADER_TROUBLE; + goto free_trak; + } + trak->time_to_sample_table = (time_to_sample_table_t *)calloc( trak->time_to_sample_count+1, sizeof(time_to_sample_table_t)); if (!trak->time_to_sample_table) { -- cgit v1.2.3