[MPlayer-cvslog] r37644 - trunk/libmpdemux/demux_mkv.c

reimar subversion at mplayerhq.hu
Tue Feb 9 22:41:14 CET 2016


Author: reimar
Date: Tue Feb  9 22:41:14 2016
New Revision: 37644

Log:
demux_mkv: Add range checks.

Fixes Coverity warnings.

Modified:
   trunk/libmpdemux/demux_mkv.c

Modified: trunk/libmpdemux/demux_mkv.c
==============================================================================
--- trunk/libmpdemux/demux_mkv.c	Tue Feb  9 22:36:16 2016	(r37643)
+++ trunk/libmpdemux/demux_mkv.c	Tue Feb  9 22:41:14 2016	(r37644)
@@ -1858,7 +1858,8 @@ static int demux_mkv_open_audio(demuxer_
                && !strncmp(track->codec_id, MKV_A_REALATRC, 7)) {
         /* Common initialization for all RealAudio codecs */
         unsigned char *src = track->private_data;
-        int codecdata_length, version;
+        unsigned char *src_end = src + track->private_size;
+        unsigned codecdata_length, version;
         int flavor;
 
         sh_a->wf->nAvgBytesPerSec = 0;  /* FIXME !? */
@@ -1871,16 +1872,23 @@ static int demux_mkv_open_audio(demuxer_
         track->sub_packet_size = AV_RB16(src + 44);
         if (version == 4) {
             src += RAPROPERTIES4_SIZE;
+            if (src[0] + 1 > src_end - src) goto err_out;
             src += src[0] + 1;
+            if (src[0] + 1 > src_end - src) goto err_out;
             src += src[0] + 1;
-        } else
+        } else {
+            if (RAPROPERTIES5_SIZE > src_end - src) goto err_out;
             src += RAPROPERTIES5_SIZE;
+        }
 
+        if (4 > src_end - src) goto err_out;
         src += 3;
         if (version == 5)
             src++;
+        if (4 > src_end - src) goto err_out;
         codecdata_length = AV_RB32(src);
         src += 4;
+        codecdata_length = FFMIN(codecdata_length, src_end - src);
         sh_a->wf->cbSize = codecdata_length;
         sh_a->wf = realloc(sh_a->wf, sizeof(*sh_a->wf) + sh_a->wf->cbSize);
         memcpy(((char *) (sh_a->wf + 1)), src, codecdata_length);


More information about the MPlayer-cvslog mailing list