Commit 164e35e7 authored by conrad's avatar conrad

Mozilla #515376: Check index in dirac_parse_info()

parent 876faea2
......@@ -109,7 +109,7 @@ dirac_bool ( dirac_bs_t *p_bs )
return dirac_bs_read ( p_bs, 1 );
}
void
int
dirac_parse_info (dirac_info *info, unsigned char * data, long len)
{
dirac_bs_t bs;
......@@ -152,6 +152,10 @@ dirac_parse_info (dirac_info *info, unsigned char * data, long len)
info->level = dirac_uint( &bs ); /* level */
info->video_format = video_format = dirac_uint( &bs ); /* index */
if (video_format >= (sizeof(dirac_fsize_tbl) / sizeof(dirac_fsize_tbl[0]))) {
return -1;
}
info->width = dirac_fsize_tbl[video_format].width;
info->height = dirac_fsize_tbl[video_format].height;
if (dirac_bool( &bs )) {
......@@ -187,4 +191,6 @@ dirac_parse_info (dirac_info *info, unsigned char * data, long len)
info->fps_denominator = dirac_uint( &bs );
}
}
}
\ No newline at end of file
return 0;
}
......@@ -24,6 +24,10 @@ typedef struct {
ogg_uint32_t top_field_first;
} dirac_info;
extern void dirac_parse_info (dirac_info *info, unsigned char *data, long len);
/**
* \return -1 Error: parse failure, invalid size index
* \return 0 Success
*/
extern int dirac_parse_info (dirac_info *info, unsigned char *data, long len);
#endif
......@@ -371,7 +371,8 @@ auto_dirac (OGGZ * oggz, long serialno, unsigned char * data, long length, void
info = oggz_malloc(sizeof(dirac_info));
if (info == NULL) return -1;
dirac_parse_info(info, data, length);
if (dirac_parse_info(info, data, length) == -1)
return -1;
/* the granulerate is twice the frame rate (in order to handle interlace) */
oggz_set_granulerate (oggz, serialno,
......
......@@ -289,7 +289,11 @@ ot_dirac_info (unsigned char * data, long len)
buf = malloc (80);
info = malloc(sizeof(dirac_info));
dirac_parse_info(info, data, len);
if (dirac_parse_info(info, data, len) == -1) {
free (info);
free (buf);
return NULL;
}
snprintf (buf, 80,
"\tVideo-Framerate: %.3f fps\n"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment