mpdparser: add some checks to duration parsing

https://bugzilla.gnome.org/show_bug.cgi?id=752336
2024-10-05 10:12:20 +00:00 · 2015-11-02 10:25:38 +00:00 · 2015-11-02 10:25:38 +00:00 · 045a03c14a
commit 045a03c14a
parent 7dca9fb3f4
1 changed files with 217 additions and 155 deletions
--- a/ext/dash/gstmpdparser.c
+++ b/ext/dash/gstmpdparser.c
@ -940,36 +940,50 @@ convert_to_millisecs (guint decimals, gint pos)
 }

 static gboolean
-gst_mpdparser_get_xml_prop_duration (xmlNode * a_node,
-    const gchar * property_name, guint64 default_value,
-    guint64 * property_value)
+accumulate (guint64 * v, guint64 mul, guint64 add)
+{
+  guint64 tmp;
+
+  if (*v > G_MAXUINT64 / mul)
+    return FALSE;
+  tmp = *v * mul;
+  if (tmp > G_MAXUINT64 - add)
+    return FALSE;
+  *v = tmp + add;
+  return TRUE;
+}
+
+static gboolean
+gst_mpdparser_parse_duration (const char *str, guint64 * value)
 {
-  xmlChar *prop_string;
-  gchar *str;
  gint ret, len, pos, posT;
  gint years = -1, months = -1, days = -1, hours = -1, minutes = -1, seconds =
      -1, decimals = -1, read;
  gboolean have_ms = FALSE;
-  gboolean exists = FALSE;
+  guint64 tmp_value;

-  *property_value = default_value;
-  prop_string = xmlGetProp (a_node, (const xmlChar *) property_name);
-  if (prop_string) {
-    len = xmlStrlen (prop_string);
-    str = (gchar *) prop_string;
+  len = strlen (str);
  GST_TRACE ("duration: %s, len %d", str, len);
-    if (strchr (str, '-') != NULL) {
-      GST_WARNING ("'-' sign found while parsing unsigned duration");
+  if (strspn (str, "PT0123456789., \tHMDSY") < len) {
+    GST_WARNING ("Invalid character found: '%s'", str);
    goto error;
  }
+  /* skip leading/trailing whitespace */
+  while (strchr (" \t", str[0])) {
+    str++;
+    len--;
+  }
+  while (len > 0 && strchr (" \t", str[len - 1]))
+    --len;
+
  /* read "P" for period */
-    pos = strcspn (str, "P");
-    if (pos != 0) {
+  if (str[0] != 'P') {
    GST_WARNING ("P not found at the beginning of the string!");
    goto error;
  }
  str++;
  len--;
+
  /* read "T" for time (if present) */
  posT = strcspn (str, "T");
  len -= posT;
@ -998,6 +1012,10 @@ gst_mpdparser_get_xml_prop_duration (xmlNode * a_node,
            goto error;
          }
          months = read;
+          if (months >= 12) {
+            GST_WARNING ("Month out of range");
+            goto error;
+          }
          break;
        case 'D':
          if (days != -1) {
@ -1005,6 +1023,10 @@ gst_mpdparser_get_xml_prop_duration (xmlNode * a_node,
            goto error;
          }
          days = read;
+          if (days >= 31) {
+            GST_WARNING ("Day out of range");
+            goto error;
+          }
          break;
        default:
          GST_WARNING ("unexpected char %c!", str[pos]);
@ -1033,7 +1055,7 @@ gst_mpdparser_get_xml_prop_duration (xmlNode * a_node,
  pos = 0;
  if (pos < len) {
    /* T found, there is a time section */
-      /* read hours, minutes, seconds, cents of second */
+    /* read hours, minutes, seconds, hundredths of second */
    do {
      GST_TRACE ("parsing substring %s", str);
      pos = strcspn (str, "HMS,.");
@ -1049,6 +1071,10 @@ gst_mpdparser_get_xml_prop_duration (xmlNode * a_node,
            goto error;
          }
          hours = read;
+          if (hours >= 24) {
+            GST_WARNING ("Hour out of range");
+            goto error;
+          }
          break;
        case 'M':
          if (minutes != -1 || seconds != -1) {
@ -1056,6 +1082,10 @@ gst_mpdparser_get_xml_prop_duration (xmlNode * a_node,
            goto error;
          }
          minutes = read;
+          if (minutes >= 60) {
+            GST_WARNING ("Minute out of range");
+            goto error;
+          }
          break;
        case 'S':
          if (have_ms) {
@ -1103,14 +1133,46 @@ gst_mpdparser_get_xml_prop_duration (xmlNode * a_node,
    decimals = 0;
  GST_TRACE ("H:M:S.MS=%d:%d:%d.%03d", hours, minutes, seconds, decimals);

+  tmp_value = 0;
+  if (!accumulate (&tmp_value, 1, years)
+      || !accumulate (&tmp_value, 365, months * 30)
+      || !accumulate (&tmp_value, 1, days)
+      || !accumulate (&tmp_value, 24, hours)
+      || !accumulate (&tmp_value, 60, minutes)
+      || !accumulate (&tmp_value, 60, seconds)
+      || !accumulate (&tmp_value, 1000, decimals))
+    goto error;
+
+  /* ensure it can be converted from milliseconds to nanoseconds */
+  if (tmp_value > G_MAXUINT64 / 1000000)
+    goto error;
+
+  *value = tmp_value;
+  return TRUE;
+
+error:
+  return FALSE;
+}
+
+static gboolean
+gst_mpdparser_get_xml_prop_duration (xmlNode * a_node,
+    const gchar * property_name, guint64 default_value,
+    guint64 * property_value)
+{
+  xmlChar *prop_string;
+  gchar *str;
+  gboolean exists = FALSE;
+
+  *property_value = default_value;
+  prop_string = xmlGetProp (a_node, (const xmlChar *) property_name);
+  if (prop_string) {
+    str = (gchar *) prop_string;
+    if (!gst_mpdparser_parse_duration (str, property_value))
+      goto error;
+    GST_LOG (" - %s: %" G_GUINT64_FORMAT, property_name, *property_value);
    xmlFree (prop_string);
    exists = TRUE;
-    *property_value =
-        (((((guint64) years * 365 + months * 30 + days) * 24 +
-                hours) * 60 + minutes) * 60 + seconds) * 1000 + decimals;
-    GST_LOG (" - %s: %" G_GUINT64_FORMAT, property_name, *property_value);
  }
-
  return exists;

 error: