Commit 24c6f152 authored by Justin Ruggles's avatar Justin Ruggles
Browse files

Do not read data past the end of the SSND chunk in the AIFF demuxer.

Fixes Issue 1455.

Originally committed as revision 20219 to svn://svn.ffmpeg.org/ffmpeg/trunk
parent dd9d5a1e
......@@ -46,6 +46,10 @@ static const AVCodecTag codec_aiff_tags[] = {
#define AIFF 0
#define AIFF_C_VERSION1 0xA2805140
typedef struct {
int64_t data_end;
} AIFFInputContext;
static enum CodecID aiff_codec_get_id(int bps)
{
if (bps <= 8)
......@@ -314,6 +318,7 @@ static int aiff_read_header(AVFormatContext *s,
unsigned version = AIFF_C_VERSION1;
ByteIOContext *pb = s->pb;
AVStream * st;
AIFFInputContext *aiff = s->priv_data;
/* check FORM header */
filesize = get_tag(pb, &tag);
......@@ -366,6 +371,7 @@ static int aiff_read_header(AVFormatContext *s,
get_meta(s, "comment" , size);
break;
case MKTAG('S', 'S', 'N', 'D'): /* Sampled sound chunk */
aiff->data_end = url_ftell(pb) + size;
offset = get_be32(pb); /* Offset of sound data */
get_be32(pb); /* BlockSize... don't care */
offset += url_ftell(pb); /* Compute absolute data offset */
......@@ -420,10 +426,18 @@ static int aiff_read_packet(AVFormatContext *s,
AVPacket *pkt)
{
AVStream *st = s->streams[0];
AIFFInputContext *aiff = s->priv_data;
int64_t max_size;
int res;
/* calculate size of remaining data */
max_size = aiff->data_end - url_ftell(s->pb);
if (max_size <= 0)
return AVERROR_EOF;
/* Now for that packet */
res = av_get_packet(s->pb, pkt, (MAX_SIZE / st->codec->block_align) * st->codec->block_align);
max_size = FFMIN(max_size, (MAX_SIZE / st->codec->block_align) * st->codec->block_align);
res = av_get_packet(s->pb, pkt, max_size);
if (res < 0)
return res;
......@@ -436,7 +450,7 @@ static int aiff_read_packet(AVFormatContext *s,
AVInputFormat aiff_demuxer = {
"aiff",
NULL_IF_CONFIG_SMALL("Audio IFF"),
0,
sizeof(AIFFInputContext),
aiff_probe,
aiff_read_header,
aiff_read_packet,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment