[FFmpeg-devel] [PATCH 3/3] LucasArts SMUSH demuxer
Michael Niedermayer
michaelni at gmx.at
Sun Jun 17 15:01:47 CEST 2012
On Thu, Jun 14, 2012 at 12:47:04AM +0000, Paul B Mahol wrote:
[...]
> +static av_cold int read_ainfo1(AVIOContext *pb, smush_ainfo *ainfo)
> +{
> + uint32_t sig, size, chunk_size, read = 0;
> + int got_wave = 0;
> +
> + sig = avio_rb32(pb);
> + if (sig != MKBETAG('F', 'L', 'H', 'D'))
> + return AVERROR_INVALIDDATA;
> +
> + size = avio_rb32(pb);
> + while (!got_wave && ((read + 8) < size)) {
> + sig = avio_rb32(pb);
> + chunk_size = avio_rb32(pb);
> +
> + read += 8;
> + switch (sig) {
> + case MKBETAG('W', 'a', 'v', 'e'):
> + got_wave = 1;
> + ainfo->freq = avio_rl32(pb);
> + ainfo->nchannels = avio_rl32(pb);
> + avio_skip(pb, chunk_size - 8);
> + read += chunk_size;
> + break;
> + case MKBETAG('B', 'l', '1', '6'):
> + case MKBETAG('A', 'N', 'N', 'O'):
> + avio_skip(pb, chunk_size);
> + read += chunk_size;
> + break;
> + }
> + }
possible infinite loop with size = 0xFFFFFFFF, and no
'W', 'a', 'v', 'e' b before EOF
> +
> + avio_skip(pb, size - read);
size < read would cause a large forward skip
[...]
> + vstream->codec->extradata = av_malloc(1024 + 2);
missing FF_INPUT_BUFFER_PADDING_SIZE
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
No great genius has ever existed without some touch of madness. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20120617/80b60e5d/attachment.asc>
More information about the ffmpeg-devel
mailing list