From 56d97fc7556b3d0c383eb62c08f70fd8d5be0285 Mon Sep 17 00:00:00 2001 From: Andre Noll Date: Mon, 19 Oct 2009 21:52:49 +0200 Subject: [PATCH] read_asf_header() sanity-check header len. --- wma_common.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/wma_common.c b/wma_common.c index be195e66..3326cfff 100644 --- a/wma_common.c +++ b/wma_common.c @@ -47,7 +47,7 @@ static int find_audio_stream_info(const char *buf, int len) if (!p) return -E_WMA_NO_GUID; PARA_DEBUG_LOG("found audio stream guid@%0zx\n", p - buf); - return p - buf; + return p - buf + 16; } static int read_header_len(char *buf, int len) @@ -62,8 +62,14 @@ static int read_header_len(char *buf, int len) } /** + * Read an asf audio file header. + * + * \param buf The input buffer. + * \param loaded Number of bytes in \a buf. + * \param ahi Result pointer. + * * \return Negative on errors, zero if more data is needed in order to read the - * full header. Positive header length on success. + * full header, 1 on success. */ int read_asf_header(char *buf, int loaded, struct asf_header_info *ahi) { @@ -78,10 +84,10 @@ int read_asf_header(char *buf, int loaded, struct asf_header_info *ahi) ret = find_audio_stream_info(buf, ahi->header_len); if (ret < 0) return ret; - /* FIXME: Check ranges */ - ahi->audio_stream_info_start = ret + 16; + if (ret + 62 > loaded) + return 0; + ahi->audio_stream_info_start = ret; start = buf + ahi->audio_stream_info_start; - ahi->channels = ((uint8_t *)start)[40]; ahi->sample_rate = read_u16(start + 42); PARA_NOTICE_LOG("%d channels, sample rate: %d\n", ahi->channels, -- 2.39.5