Revision 95ec3d4c
| libavformat/matroskadec.c | ||
|---|---|---|
| 58 | 58 |
EBML_NEST, |
| 59 | 59 |
EBML_PASS, |
| 60 | 60 |
EBML_STOP, |
| 61 |
EBML_TYPE_COUNT |
|
| 61 | 62 |
} EbmlType; |
| 62 | 63 |
|
| 63 | 64 |
typedef const struct EbmlSyntax {
|
| ... | ... | |
| 780 | 781 |
static int ebml_parse_elem(MatroskaDemuxContext *matroska, |
| 781 | 782 |
EbmlSyntax *syntax, void *data) |
| 782 | 783 |
{
|
| 784 |
static const uint64_t max_lengths[EBML_TYPE_COUNT] = {
|
|
| 785 |
[EBML_UINT] = 8, |
|
| 786 |
[EBML_FLOAT] = 8, |
|
| 787 |
// max. 16 MB for strings |
|
| 788 |
[EBML_STR] = 0x1000000, |
|
| 789 |
[EBML_UTF8] = 0x1000000, |
|
| 790 |
// max. 256 MB for binary data |
|
| 791 |
[EBML_BIN] = 0x10000000, |
|
| 792 |
// no limits for anything else |
|
| 793 |
}; |
|
| 783 | 794 |
ByteIOContext *pb = matroska->ctx->pb; |
| 784 | 795 |
uint32_t id = syntax->id; |
| 785 | 796 |
uint64_t length; |
| ... | ... | |
| 798 | 809 |
matroska->current_id = 0; |
| 799 | 810 |
if ((res = ebml_read_length(matroska, pb, &length)) < 0) |
| 800 | 811 |
return res; |
| 812 |
if (max_lengths[syntax->type] && length > max_lengths[syntax->type]) {
|
|
| 813 |
av_log(matroska->ctx, AV_LOG_ERROR, |
|
| 814 |
"Invalid length 0x%"PRIx64" > 0x%"PRIx64" for syntax element %i\n", |
|
| 815 |
length, max_lengths[syntax->type], syntax->type); |
|
| 816 |
return AVERROR_INVALIDDATA; |
|
| 817 |
} |
|
| 801 | 818 |
} |
| 802 | 819 |
|
| 803 | 820 |
switch (syntax->type) {
|
Also available in: Unified diff