diff --git a/libavformat/apetag.c b/libavformat/apetag.c index 062f74632c53e3974de9090e0342177c83c144e4..dd746313b5640355a6f701f0ce0687e741a56495 100644 --- a/libavformat/apetag.c +++ b/libavformat/apetag.c @@ -113,40 +113,47 @@ static int ape_tag_read_field(AVFormatContext *s) return 0; } -void ff_ape_parse_tag(AVFormatContext *s) +int64_t ff_ape_parse_tag(AVFormatContext *s) { AVIOContext *pb = s->pb; int file_size = avio_size(pb); uint32_t val, fields, tag_bytes; uint8_t buf[8]; + int64_t tag_start; int i; if (file_size < APE_TAG_FOOTER_BYTES) - return; + return 0; avio_seek(pb, file_size - APE_TAG_FOOTER_BYTES, SEEK_SET); avio_read(pb, buf, 8); /* APETAGEX */ if (strncmp(buf, "APETAGEX", 8)) { - return; + return 0; } val = avio_rl32(pb); /* APE tag version */ if (val > APE_TAG_VERSION) { av_log(s, AV_LOG_ERROR, "Unsupported tag version. (>=%d)\n", APE_TAG_VERSION); - return; + return 0; } tag_bytes = avio_rl32(pb); /* tag size */ if (tag_bytes - APE_TAG_FOOTER_BYTES > (1024 * 1024 * 16)) { av_log(s, AV_LOG_ERROR, "Tag size is way too big\n"); - return; + return 0; + } + + tag_start = file_size - tag_bytes - APE_TAG_FOOTER_BYTES; + if (tag_start < 0) { + av_log(s, AV_LOG_ERROR, "Invalid tag size %u.\n", tag_bytes); + return 0; } fields = avio_rl32(pb); /* number of fields */ if (fields > 65536) { av_log(s, AV_LOG_ERROR, "Too many tag fields (%d)\n", fields); - return; + return 0; } val = avio_rl32(pb); /* flags */ @@ -159,4 +166,6 @@ void ff_ape_parse_tag(AVFormatContext *s) for (i=0; iseekable) { int64_t pos = avio_tell(s->pb); - ff_ape_parse_tag(s); + c->apetag_start = ff_ape_parse_tag(s); avio_seek(s->pb, pos, SEEK_SET); } @@ -258,6 +260,11 @@ static int mpc8_read_packet(AVFormatContext *s, AVPacket *pkt) while(!s->pb->eof_reached){ pos = avio_tell(s->pb); + + /* don't return bogus packets with the ape tag data */ + if (c->apetag_start && pos >= c->apetag_start) + return AVERROR_EOF; + mpc8_get_chunk_header(s->pb, &tag, &size); if (size < 0) return -1; diff --git a/libavformat/wv.c b/libavformat/wv.c index 3fd1abcb87d80b74a1cf7fd3a4f324aa2871ae39..39bb6144d30f9ec90a233f0404dffc94a2ffd6b2 100644 --- a/libavformat/wv.c +++ b/libavformat/wv.c @@ -64,6 +64,8 @@ typedef struct { int block_parsed; uint8_t extra[WV_EXTRA_SIZE]; int64_t pos; + + int64_t apetag_start; } WVContext; static int wv_probe(AVProbeData *p) @@ -88,6 +90,11 @@ static int wv_read_block_header(AVFormatContext *ctx, AVIOContext *pb, uint32_t chmask; wc->pos = avio_tell(pb); + + /* don't return bogus packets with the ape tag data */ + if (wc->apetag_start && wc->pos >= wc->apetag_start) + return AVERROR_EOF; + if (!append) { tag = avio_rl32(pb); if (tag != MKTAG('w', 'v', 'p', 'k')) @@ -252,7 +259,7 @@ static int wv_read_header(AVFormatContext *s) if (s->pb->seekable) { int64_t cur = avio_tell(s->pb); - ff_ape_parse_tag(s); + wc->apetag_start = ff_ape_parse_tag(s); if (!av_dict_get(s->metadata, "", NULL, AV_DICT_IGNORE_SUFFIX)) ff_id3v1_read(s); avio_seek(s->pb, cur, SEEK_SET);