gst/avi/gstavidemux.c: Fix some crashers with empty chunks. (Fixes #337749)

Original commit message from CVS: Patch by: Ryan Lortie (desrt) <desrt at destr dot ca> * gst/avi/gstavidemux.c: (gst_avi_demux_parse_superindex), (gst_avi_demux_parse_stream), (gst_avi_demux_parse_index), (gst_avi_demux_stream_header): Fix some crashers with empty chunks. (Fixes #337749)
2024-07-10 08:35:58 +00:00 · 2006-04-10 10:10:55 +00:00 · 2006-04-10 10:10:55 +00:00 · 4bdbbeb426
parent 31a227b2aa
commit 4bdbbeb426
2 changed files with 38 additions and 22 deletions
--- a/9
+++ b/9
@ -1,3 +1,12 @@
+2006-04-10  Wim Taymans  <wim@fluendo.com>
+
+	Patch by: Ryan Lortie (desrt) <desrt at destr dot ca>
+
+	* gst/avi/gstavidemux.c: (gst_avi_demux_parse_superindex),
+	(gst_avi_demux_parse_stream), (gst_avi_demux_parse_index),
+	(gst_avi_demux_stream_header):
+	Fix some crashers with empty chunks. (Fixes #337749)
+
 2006-04-09  Sebastien Moutte  <sebastien@moutte.net>

 	* gst/level/gstlevel.c: (gst_level_set_caps),(gst_level_transform_ip):
--- a/gst/avi/gstavidemux.c
+++ b/gst/avi/gstavidemux.c
@ -724,7 +724,7 @@ static gboolean
 gst_avi_demux_parse_superindex (GstElement * element,
    GstBuffer * buf, guint64 ** _indexes)
 {
-  guint8 *data = GST_BUFFER_DATA (buf);
+  guint8 *data;
  gint bpe = 16, num, i;
  guint64 *indexes;

@ -733,9 +733,11 @@ gst_avi_demux_parse_superindex (GstElement * element,
  if (buf == NULL)
    goto no_buffer;

-  if (!buf || GST_BUFFER_SIZE (buf) < 24)
+  if (GST_BUFFER_SIZE (buf) < 24)
    goto too_small;

+  data = GST_BUFFER_DATA (buf);
+
  /* check type of index. The opendml2 specs state that
   * there should be 4 dwords per array entry. Type can be
   * either frame or field (and we don't care). */
@ -1031,6 +1033,7 @@ gst_avi_demux_parse_stream (GstElement * element, GstBuffer * buf)

  /* read strd/strn */
  while (gst_riff_parse_chunk (element, buf, &offset, &tag, &sub)) {
+    /* sub can be NULL if the chunk is empty */
    switch (tag) {
      case GST_RIFF_TAG_strd:
        if (stream->initdata)
@ -1039,11 +1042,15 @@ gst_avi_demux_parse_stream (GstElement * element, GstBuffer * buf)
        break;
      case GST_RIFF_TAG_strn:
        g_free (stream->name);
-        stream->name = g_new (gchar, GST_BUFFER_SIZE (sub) + 1);
-        memcpy (stream->name, GST_BUFFER_DATA (sub), GST_BUFFER_SIZE (sub));
-        stream->name[GST_BUFFER_SIZE (sub)] = '\0';
-        gst_buffer_unref (sub);
-        sub = NULL;
+        if (sub != NULL) {
+          stream->name = g_new (gchar, GST_BUFFER_SIZE (sub) + 1);
+          memcpy (stream->name, GST_BUFFER_DATA (sub), GST_BUFFER_SIZE (sub));
+          stream->name[GST_BUFFER_SIZE (sub)] = '\0';
+          gst_buffer_unref (sub);
+          sub = NULL;
+        } else {
+          stream->name = g_strdup ("");
+        }
        break;
      default:
        if (tag == GST_MAKE_FOURCC ('i', 'n', 'd', 'x') ||
@ -1058,8 +1065,10 @@ gst_avi_demux_parse_stream (GstElement * element, GstBuffer * buf)
            GST_FOURCC_ARGS (tag));
        /* fall-through */
      case GST_RIFF_TAG_JUNK:
-        gst_buffer_unref (sub);
-        sub = NULL;
+        if (sub != NULL) {
+          gst_buffer_unref (sub);
+          sub = NULL;
+        }
        break;
    }
  }
@ -2075,13 +2084,15 @@ gst_avi_demux_stream_header (GstAviDemux * avi)

  /* now, read the elements from the header until the end */
  while (gst_riff_parse_chunk (GST_ELEMENT (avi), buf, &offset, &tag, &sub)) {
+    /* sub can be NULL on empty tags */
+    if (!sub)
+      continue;
+
    switch (tag) {
      case GST_RIFF_TAG_LIST:
-        if (!sub || GST_BUFFER_SIZE (sub) < 4) {
-          if (sub) {
-            gst_buffer_unref (sub);
-            sub = NULL;
-          }
+        if (GST_BUFFER_SIZE (sub) < 4) {
+          gst_buffer_unref (sub);
+          sub = NULL;
          break;
        }

@ -2100,10 +2111,8 @@ gst_avi_demux_stream_header (GstAviDemux * avi)
                GST_FOURCC_ARGS (GST_READ_UINT32_LE (GST_BUFFER_DATA (sub))));
            /* fall-through */
          case GST_RIFF_TAG_JUNK:
-            if (sub) {
-              gst_buffer_unref (sub);
-              sub = NULL;
-            }
+            gst_buffer_unref (sub);
+            sub = NULL;
            break;
        }
        break;
@ -2113,10 +2122,8 @@ gst_avi_demux_stream_header (GstAviDemux * avi)
            offset, GST_FOURCC_ARGS (tag));
        /* fall-through */
      case GST_RIFF_TAG_JUNK:
-        if (sub) {
-          gst_buffer_unref (sub);
-          sub = NULL;
-        }
+        gst_buffer_unref (sub);
+        sub = NULL;
        break;
    }
  }