gst/avi/gstavidemux.c: Fix some crashers with empty chunks. (Fixes #337749)

Original commit message from CVS:
Patch by: Ryan Lortie (desrt) <desrt at destr dot ca>
* gst/avi/gstavidemux.c: (gst_avi_demux_parse_superindex),
(gst_avi_demux_parse_stream), (gst_avi_demux_parse_index),
(gst_avi_demux_stream_header):
Fix some crashers with empty chunks. (Fixes #337749)
This commit is contained in:
Ryan Lortie (desrt) 2006-04-10 10:10:55 +00:00 committed by Wim Taymans
parent 31a227b2aa
commit 4bdbbeb426
2 changed files with 38 additions and 22 deletions

View file

@ -1,3 +1,12 @@
2006-04-10 Wim Taymans <wim@fluendo.com>
Patch by: Ryan Lortie (desrt) <desrt at destr dot ca>
* gst/avi/gstavidemux.c: (gst_avi_demux_parse_superindex),
(gst_avi_demux_parse_stream), (gst_avi_demux_parse_index),
(gst_avi_demux_stream_header):
Fix some crashers with empty chunks. (Fixes #337749)
2006-04-09 Sebastien Moutte <sebastien@moutte.net>
* gst/level/gstlevel.c: (gst_level_set_caps),(gst_level_transform_ip):

View file

@ -724,7 +724,7 @@ static gboolean
gst_avi_demux_parse_superindex (GstElement * element,
GstBuffer * buf, guint64 ** _indexes)
{
guint8 *data = GST_BUFFER_DATA (buf);
guint8 *data;
gint bpe = 16, num, i;
guint64 *indexes;
@ -733,9 +733,11 @@ gst_avi_demux_parse_superindex (GstElement * element,
if (buf == NULL)
goto no_buffer;
if (!buf || GST_BUFFER_SIZE (buf) < 24)
if (GST_BUFFER_SIZE (buf) < 24)
goto too_small;
data = GST_BUFFER_DATA (buf);
/* check type of index. The opendml2 specs state that
* there should be 4 dwords per array entry. Type can be
* either frame or field (and we don't care). */
@ -1031,6 +1033,7 @@ gst_avi_demux_parse_stream (GstElement * element, GstBuffer * buf)
/* read strd/strn */
while (gst_riff_parse_chunk (element, buf, &offset, &tag, &sub)) {
/* sub can be NULL if the chunk is empty */
switch (tag) {
case GST_RIFF_TAG_strd:
if (stream->initdata)
@ -1039,11 +1042,15 @@ gst_avi_demux_parse_stream (GstElement * element, GstBuffer * buf)
break;
case GST_RIFF_TAG_strn:
g_free (stream->name);
stream->name = g_new (gchar, GST_BUFFER_SIZE (sub) + 1);
memcpy (stream->name, GST_BUFFER_DATA (sub), GST_BUFFER_SIZE (sub));
stream->name[GST_BUFFER_SIZE (sub)] = '\0';
gst_buffer_unref (sub);
sub = NULL;
if (sub != NULL) {
stream->name = g_new (gchar, GST_BUFFER_SIZE (sub) + 1);
memcpy (stream->name, GST_BUFFER_DATA (sub), GST_BUFFER_SIZE (sub));
stream->name[GST_BUFFER_SIZE (sub)] = '\0';
gst_buffer_unref (sub);
sub = NULL;
} else {
stream->name = g_strdup ("");
}
break;
default:
if (tag == GST_MAKE_FOURCC ('i', 'n', 'd', 'x') ||
@ -1058,8 +1065,10 @@ gst_avi_demux_parse_stream (GstElement * element, GstBuffer * buf)
GST_FOURCC_ARGS (tag));
/* fall-through */
case GST_RIFF_TAG_JUNK:
gst_buffer_unref (sub);
sub = NULL;
if (sub != NULL) {
gst_buffer_unref (sub);
sub = NULL;
}
break;
}
}
@ -2075,13 +2084,15 @@ gst_avi_demux_stream_header (GstAviDemux * avi)
/* now, read the elements from the header until the end */
while (gst_riff_parse_chunk (GST_ELEMENT (avi), buf, &offset, &tag, &sub)) {
/* sub can be NULL on empty tags */
if (!sub)
continue;
switch (tag) {
case GST_RIFF_TAG_LIST:
if (!sub || GST_BUFFER_SIZE (sub) < 4) {
if (sub) {
gst_buffer_unref (sub);
sub = NULL;
}
if (GST_BUFFER_SIZE (sub) < 4) {
gst_buffer_unref (sub);
sub = NULL;
break;
}
@ -2100,10 +2111,8 @@ gst_avi_demux_stream_header (GstAviDemux * avi)
GST_FOURCC_ARGS (GST_READ_UINT32_LE (GST_BUFFER_DATA (sub))));
/* fall-through */
case GST_RIFF_TAG_JUNK:
if (sub) {
gst_buffer_unref (sub);
sub = NULL;
}
gst_buffer_unref (sub);
sub = NULL;
break;
}
break;
@ -2113,10 +2122,8 @@ gst_avi_demux_stream_header (GstAviDemux * avi)
offset, GST_FOURCC_ARGS (tag));
/* fall-through */
case GST_RIFF_TAG_JUNK:
if (sub) {
gst_buffer_unref (sub);
sub = NULL;
}
gst_buffer_unref (sub);
sub = NULL;
break;
}
}