mirrors/gstreamer
mirrors/gstreamer
1
1
Fork 0
mirror of https://gitlab.freedesktop.org/gstreamer/gstreamer.git synced 2024-09-08 21:28:45 +00:00
Code Issues 1 Projects Releases Wiki Activity

qtdemux: Check for sizes of the rdrf (redirect) atom before accessing the data and use g_strndup() instead of g_strdup()

Browse source 
Thanks to Ralph Giles for reporting this.
This commit is contained in:
Sebastian Dröge 2015-04-29 19:41:29 +02:00
parent 33693525b9
commit 178f0a4522
1 changed files with 34 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
gst/isomp4/qtdemux.c
View file

@ -10634,12 +10634,16 @@ qtdemux_parse_redirects (GstQTDemux * qtdemux)
if (rdrf) { if (rdrf) {
guint32 ref_type; guint32 ref_type;
guint8 *ref_data; guint8 *ref_data;
guint ref_len;
ref_len = QT_UINT32 ((guint8 *) rdrf->data);
if (ref_len > 20) {
ref_type = QT_FOURCC ((guint8 *) rdrf->data + 12); ref_type = QT_FOURCC ((guint8 *) rdrf->data + 12);
ref_data = (guint8 *) rdrf->data + 20; ref_data = (guint8 *) rdrf->data + 20;
if (ref_type == FOURCC_alis) { if (ref_type == FOURCC_alis) {
guint record_len, record_version, fn_len; guint record_len, record_version, fn_len;
if (ref_len > 70) {
/* MacOSX alias record, google for alias-layout.txt */ /* MacOSX alias record, google for alias-layout.txt */
record_len = QT_UINT16 (ref_data + 4); record_len = QT_UINT16 (ref_data + 4);
record_version = QT_UINT16 (ref_data + 4 + 2); record_version = QT_UINT16 (ref_data + 4 + 2);
@ -10647,8 +10651,12 @@ qtdemux_parse_redirects (GstQTDemux * qtdemux)
if (record_len > 50 && record_version == 2 && fn_len > 0) { if (record_len > 50 && record_version == 2 && fn_len > 0) {
ref.location = g_strndup ((gchar *) ref_data + 51, fn_len); ref.location = g_strndup ((gchar *) ref_data + 51, fn_len);
} }
} else {
GST_WARNING_OBJECT (qtdemux, "Invalid rdrf/alis size (%u < 70)",
ref_len);
}
} else if (ref_type == FOURCC_url_) { } else if (ref_type == FOURCC_url_) {
ref.location = g_strdup ((gchar *) ref_data); ref.location = g_strndup ((gchar *) ref_data, ref_len - 8);
} else { } else {
GST_DEBUG_OBJECT (qtdemux, GST_DEBUG_OBJECT (qtdemux,
"unknown rdrf reference type %" GST_FOURCC_FORMAT, "unknown rdrf reference type %" GST_FOURCC_FORMAT,
@ -10656,11 +10664,15 @@ qtdemux_parse_redirects (GstQTDemux * qtdemux)
} }
if (ref.location != NULL) { if (ref.location != NULL) {
GST_INFO_OBJECT (qtdemux, "New location: %s", ref.location); GST_INFO_OBJECT (qtdemux, "New location: %s", ref.location);
redirects = g_list_prepend (redirects, g_memdup (&ref, sizeof (ref))); redirects =
g_list_prepend (redirects, g_memdup (&ref, sizeof (ref)));
} else { } else {
GST_WARNING_OBJECT (qtdemux, GST_WARNING_OBJECT (qtdemux,
"Failed to extract redirect location from rdrf atom"); "Failed to extract redirect location from rdrf atom");
} }
} else {
GST_WARNING_OBJECT (qtdemux, "Invalid rdrf size (%u < 20)", ref_len);
}
} }
/* look for others */ /* look for others */