[FFmpeg-cvslog] r12241 - trunk/libavformat/mov.c

Baptiste Coudurier baptiste.coudurier
Wed Feb 27 10:32:16 CET 2008 

Hi,

Michael Niedermayer wrote:
> On Tue, Feb 26, 2008 at 07:21:58PM +0100, bcoudurier wrote:
>> Author: bcoudurier
>> Date: Tue Feb 26 19:21:58 2008
>> New Revision: 12241
>>
>> Log:
>> support mov reference files, ref.mov/ref.m2v/ref.wav and detect BrianCox.mov
> [...]
>> +static int mov_read_dref(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
>> +{
>> +    AVStream *st = c->fc->streams[c->fc->nb_streams-1];
>> +    MOVStreamContext *sc = st->priv_data;
>> +    int entries, i, j;
>> +
>> +    get_be32(pb); // version + flags
>> +    entries = get_be32(pb);
>> +    if (entries >= UINT_MAX / sizeof(*sc->drefs))
>> +        return -1;
>> +    sc->drefs_count = entries;
>> +    sc->drefs = av_mallocz(entries * sizeof(*sc->drefs));
>> +
>> +    for (i = 0; i < sc->drefs_count; i++) {
>> +        MOV_dref_t *dref = &sc->drefs[i];
>> +        uint32_t size = get_be32(pb);
>> +        offset_t next = url_ftell(pb) + size - 4;
>> +
>> +        dref->type = get_le32(pb);
>> +        get_be32(pb); // version + flags
>> +        dprintf(c->fc, "type %.4s size %d\n", (char*)&dref->type, size);
>> +
>> +        if (dref->type == MKTAG('a','l','i','s') && size > 150) {
>> +            /* macintosh alias record */
>> +            uint16_t volume_len, len;
>> +            char volume[28];
>> +            int16_t type;
>> +
>> +            url_fskip(pb, 10);
>> +
>> +            volume_len = get_byte(pb);
>> +            volume_len = FFMIN(volume_len, 27);
>> +            get_buffer(pb, volume, 27);
>> +            volume[volume_len] = 0;
>> +            av_log(c->fc, AV_LOG_DEBUG, "volume %s, len %d\n", volume, volume_len);
>> +
>> +            url_fskip(pb, 112);
>> +
>> +            for (type = 0; type != -1 && url_ftell(pb) < next; ) {
>> +                type = get_be16(pb);
>> +                len = get_be16(pb);
>> +                av_log(c->fc, AV_LOG_DEBUG, "type %d, len %d\n", type, len);
>> +                if (len&1)
>> +                    len += 1;
>> +                if (type == 2) { // absolute path
>> +                    dref->path = av_mallocz(len+1);
>> +                    get_buffer(pb, dref->path, len);
>> +                    if (!strncmp(dref->path, volume, volume_len)) {
>> +                        len -= volume_len;
>> +                        memmove(dref->path, dref->path+volume_len, len);
> 
> Lets assume the first byte of dref->path and volume are 0
> len=2
> volume_len=27
> then memmove() will be executed with a len of 65511 which is larger then the
> array
> 

Thanks, fixed.

-- 
Baptiste COUDURIER                              GnuPG Key Id: 0x5C1ABAAA
SMARTJOG S.A.                                    http://www.smartjog.com
Key fingerprint                 8D77134D20CC9220201FC5DB0AC9325C5C1ABAAA
Phone: +33 1 49966312

More information about the ffmpeg-cvslog mailing list