[MPlayer-cvslog] r25925 - branches/1.0rc2/libmpdemux/demux_mov.c

rtogni subversion at mplayerhq.hu
Tue Jan 29 23:35:24 CET 2008 

Author: rtogni
Date: Tue Jan 29 23:35:24 2008
New Revision: 25925

Log:
Backport of security fixes:

r25920: Do not pointlessly read data, just skip it.
r25921: Make sure chunkmap values are within bounds when using them.
r25922: Check that index is still within bounds of samples array.
Previous check is not enough and the code is not performance critical
so do it the easy way.



Modified:
   branches/1.0rc2/libmpdemux/demux_mov.c

Modified: branches/1.0rc2/libmpdemux/demux_mov.c
==============================================================================
--- branches/1.0rc2/libmpdemux/demux_mov.c	(original)
+++ branches/1.0rc2/libmpdemux/demux_mov.c	Tue Jan 29 23:35:24 2008
@@ -173,11 +173,12 @@ void mov_build_index(mov_track_t* trak,i
     i=trak->chunkmap_size;
     while(i>0){
 	--i;
-	for(j=trak->chunkmap[i].first;j<last;j++){
+	j=FFMAX(trak->chunkmap[i].first, 0);
+	for(;j<last;j++){
 	    trak->chunks[j].desc=trak->chunkmap[i].sdid;
 	    trak->chunks[j].size=trak->chunkmap[i].spc;
 	}
-	last=trak->chunkmap[i].first;
+	last=FFMIN(trak->chunkmap[i].first, trak->chunks_size);
     }
 
 #if 0
@@ -235,6 +236,8 @@ void mov_build_index(mov_track_t* trak,i
     s=0;
     for(j=0;j<trak->durmap_size;j++){
 	for(i=0;i<trak->durmap[j].num;i++){
+	    if (s >= trak->samples_size)
+		break;
 	    trak->samples[s].pts=pts;
 	    ++s;
 	    pts+=trak->durmap[j].dur;
@@ -246,6 +249,8 @@ void mov_build_index(mov_track_t* trak,i
     for(j=0;j<trak->chunks_size;j++){
 	off_t pos=trak->chunks[j].pos;
 	for(i=0;i<trak->chunks[j].size;i++){
+	    if (s >= trak->samples_size)
+		break;
 	    trak->samples[s].pos=pos;
 	    mp_msg(MSGT_DEMUX, MSGL_DBG3, "Sample %5d: pts=%8d  off=0x%08X  size=%d\n",s,
 		trak->samples[s].pts,
@@ -1568,8 +1573,7 @@ static void lschunks(demuxer_t* demuxer,
 			if( udta_len>udta_size)
 				udta_len=udta_size;
 			{
-			char dump[udta_len-4];
-			stream_read(demuxer->stream, (char *)&dump, udta_len-4-4);
+			stream_skip(demuxer->stream, udta_len-4-4);
 			udta_size -= udta_len;
 			}
 		    }

More information about the MPlayer-cvslog mailing list