[gst-cvs] gst-plugins-good: qtdemux: use unsigned ints for node length and do more sanity checking of the atom length
Tim Mueller
tpm at kemper.freedesktop.org
Thu Sep 24 08:43:25 PDT 2009
Module: gst-plugins-good
Branch: master
Commit: 6b7f4f5e23bd4bfb455c93cf31647db59a50174f
URL: http://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=6b7f4f5e23bd4bfb455c93cf31647db59a50174f
Author: Tim-Philipp Müller <tim.muller at collabora.co.uk>
Date: Wed Aug 19 19:13:38 2009 +0100
qtdemux: use unsigned ints for node length and do more sanity checking of the atom length
---
gst/qtdemux/qtdemux.c | 33 +++++++++++++++++++++++----------
1 files changed, 23 insertions(+), 10 deletions(-)
diff --git a/gst/qtdemux/qtdemux.c b/gst/qtdemux/qtdemux.c
index 957203c..155147b 100644
--- a/gst/qtdemux/qtdemux.c
+++ b/gst/qtdemux/qtdemux.c
@@ -300,9 +300,9 @@ static GstFlowReturn gst_qtdemux_chain (GstPad * sinkpad, GstBuffer * inbuf);
static gboolean gst_qtdemux_handle_sink_event (GstPad * pad, GstEvent * event);
static gboolean qtdemux_parse_moov (GstQTDemux * qtdemux, const guint8 * buffer,
- int length);
+ guint length);
static gboolean qtdemux_parse_node (GstQTDemux * qtdemux, GNode * node,
- const guint8 * buffer, int length);
+ const guint8 * buffer, guint length);
static gboolean qtdemux_parse_tree (GstQTDemux * qtdemux);
static void gst_qtdemux_handle_esds (GstQTDemux * qtdemux,
@@ -2888,7 +2888,7 @@ qtdemux_zfree (void *opaque, void *addr)
}
static void *
-qtdemux_inflate (void *z_buffer, int z_length, int length)
+qtdemux_inflate (void *z_buffer, guint z_length, guint length)
{
guint8 *buffer;
z_stream *z;
@@ -2925,7 +2925,7 @@ qtdemux_inflate (void *z_buffer, int z_length, int length)
#endif /* HAVE_ZLIB */
static gboolean
-qtdemux_parse_moov (GstQTDemux * qtdemux, const guint8 * buffer, int length)
+qtdemux_parse_moov (GstQTDemux * qtdemux, const guint8 * buffer, guint length)
{
GNode *cmov;
@@ -2949,13 +2949,13 @@ qtdemux_parse_moov (GstQTDemux * qtdemux, const guint8 * buffer, int length)
switch (method) {
#ifdef HAVE_ZLIB
case GST_MAKE_FOURCC ('z', 'l', 'i', 'b'):{
- int uncompressed_length;
- int compressed_length;
+ guint uncompressed_length;
+ guint compressed_length;
guint8 *buf;
uncompressed_length = QT_UINT32 ((guint8 *) cmvd->data + 8);
compressed_length = QT_UINT32 ((guint8 *) cmvd->data + 4) - 12;
- GST_LOG ("length = %d", uncompressed_length);
+ GST_LOG ("length = %u", uncompressed_length);
buf =
(guint8 *) qtdemux_inflate ((guint8 *) cmvd->data + 12,
@@ -3083,14 +3083,14 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream,
static gboolean
qtdemux_parse_node (GstQTDemux * qtdemux, GNode * node, const guint8 * buffer,
- int length)
+ guint length)
{
guint32 fourcc;
guint32 node_length;
const QtNodeType *type;
const guint8 *end;
- GST_LOG_OBJECT (qtdemux, "qtdemux_parse buffer %p length %d", buffer, length);
+ GST_LOG_OBJECT (qtdemux, "qtdemux_parse buffer %p length %u", buffer, length);
node_length = QT_UINT32 (buffer);
fourcc = QT_FOURCC (buffer + 4);
@@ -3104,9 +3104,12 @@ qtdemux_parse_node (GstQTDemux * qtdemux, GNode * node, const guint8 * buffer,
end = buffer + length;
GST_LOG_OBJECT (qtdemux,
- "parsing '%" GST_FOURCC_FORMAT "', length=%d, name '%s'",
+ "parsing '%" GST_FOURCC_FORMAT "', length=%u, name '%s'",
GST_FOURCC_ARGS (fourcc), node_length, type->name);
+ if (node_length > length)
+ goto broken_file;
+
if (type->flags & QT_FLAG_CONTAINER) {
qtdemux_parse_container (qtdemux, node, buffer + 8, end);
} else {
@@ -3233,6 +3236,16 @@ qtdemux_parse_node (GstQTDemux * qtdemux, GNode * node, const guint8 * buffer,
GST_LOG_OBJECT (qtdemux, "parsed '%" GST_FOURCC_FORMAT,
GST_FOURCC_ARGS (fourcc));
return TRUE;
+
+/* ERRORS */
+broken_file:
+ {
+ GST_ELEMENT_ERROR (qtdemux, STREAM, DEMUX,
+ (_("This file is corrupt and cannot be played.")),
+ ("Atom '%" GST_FOURCC_FORMAT "' has size of %u bytes, but we have only "
+ "%u bytes available.", GST_FOURCC_ARGS (fourcc), node_length, length));
+ return FALSE;
+ }
}
static GNode *
More information about the Gstreamer-commits
mailing list